b'                EVALUATION REPORT\n\nIndependent Evaluation of NRC\xe2\x80\x99s Implementation of the Federal Information Security\n                 Management Act (FISMA) for Fiscal Year 2011\n\n                          OIG-12-A-04        November 9, 2011\n\n\n\n\n        All publicly available OIG reports (including this report) are accessible through\n                                      NRC\xe2\x80\x99s Web site at:\n                     http:/www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                            UNITED STATES\n                    NUCLEAR REGULATORY COMMISSION\n                             WASHINGTON, D.C. 20555-0001\n\n\n\n\nOFFICE OF THE\nINSPECTOR GENERAL\n\n\n                                          November 9, 2011\n\n\n\nMEMORANDUM TO:             R. William Borchardt\n                           Executive Director for Operations\n\n\n\nFROM:                      Stephen D. Dingbaum /RA/\n                           Assistant Inspector General for Audits\n\n\nSUBJECT:                   INDEPENDENT EVALUATION OF NRC\xe2\x80\x99S\n                           IMPLEMENTATION OF THE FEDERAL INFORMATION\n                           SECURITY MANAGEMENT ACT (FISMA) FOR FISCAL\n                           YEAR 2011 (OIG-12-A-04)\n\nAttached is the Office of the Inspector General\xe2\x80\x99s (OIG) independent evaluation report\ntitled, Independent Evaluation of NRC\xe2\x80\x99s Implementation of the Federal Information\nSecurity Management Act (FISMA) for Fiscal Year 2011 (OIG-12-A-04).\n\nThe report presents the results of the subject evaluation. Agency comments provided\nduring a November 3, 2011, exit conference have been incorporated, as appropriate,\ninto this report.\n\nPlease provide information on actions taken or planned on the recommendations within\n30 days of the date of this memorandum. Actions taken or planned are subject to OIG\nfollowup as stated in Management Directive 6.1.\n\nWe appreciate the cooperation extended to us by members of your staff during the\nevaluation. If you have any questions or comments about our report, please contact me\nat 415-5915 or Beth Serepca, Team Leader, at 415-5911.\n\nAttachment: As stated\n\x0c                           Independent Evaluation of\n                          NRC\xe2\x80\x99s Implementation of the\n                 Federal Information Security Management Act\n                              for Fiscal Year 2011\n\n\n\n\n                                Contract Number: GS-00F-0001N\n                                 Delivery Order Number: 20291\n\n                                                 November 09, 2011\n\n\n\n\nThe views, opinions, and findings contained in this report are those of the authors and should not be construed as an official Nuclear Regulatory\n                       Commission position, policy, or decision, unless so designated by other official documentation.\n\x0c[Page intentionally left blank]\n\x0c                                                                                    Independent Evaluation of\n                                                                     NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\nEXECUTIVE SUMMARY\n\n\nBACKGROUND\n\n        On December 17, 2002, the President signed the E-Government Act of 2002, which\n        included the Federal Information Security Management Act (FISMA) of 2002.1 FISMA\n        outlines the information security management requirements for agencies, which include\n        an annual independent evaluation of an agency\xe2\x80\x99s information security program2 and\n        practices to determine their effectiveness. This evaluation must include testing the\n        effectiveness of information security policies, procedures, and practices for a\n        representative subset of the agency\xe2\x80\x99s information systems. FISMA requires the annual\n        evaluation to be performed by the agency\xe2\x80\x99s Office of the Inspector General (OIG) or by\n        an independent external auditor. Office of Management and Budget (OMB)\n        memorandum M-11-33, FY 2011 Reporting Instructions for the Federal Information\n        Security Management Act and Agency Privacy Management, dated September 14, 2011,\n        requires OIG to report their responses to OMB\xe2\x80\x99s annual FISMA reporting questions for\n        OIGs via an automated collection tool.\n\n        Richard S. Carson & Associates, Inc. (Carson Associates), performed an independent\n        evaluation of the Nuclear Regulatory Commission\xe2\x80\x99s (NRC) implementation of FISMA\n        for fiscal year (FY) 2011. This report presents the results of that independent evaluation.\n        Carson Associates also submitted responses to OMB\xe2\x80\x99s annual FISMA reporting questions\n        for OIGs via OMB\xe2\x80\x99s automated collection tool.\n\n        This report reflects the status of the agency\xe2\x80\x99s information security program for FY 2011.\n\nPURPOSE\n\n        The objective of this review was to perform an independent evaluation of the NRC\xe2\x80\x99s\n        implementation of FISMA for FY 2011.\n\nRESULTS IN BRIEF\n\n        Program Enhancements and Improvements\n\n        Over the past 9 years, NRC has continued to make improvements to its information\n        system security program and continues to make progress in implementing the\n        recommendations resulting from previous FISMA evaluations. The agency has\n        accomplished the following since the FY 2010 FISMA independent evaluation:\n\n\n\n1\n  The Federal Information Security Management Act of 2002 was enacted on December 17, 2002, as part of the\n  E-Government Act of 2002 (Public Law 107-347) and replaces the Government Information Security Reform Act,\n  which expired in November 2002.\n2\n  For the purposes of FISMA, the agency uses the term \xe2\x80\x9cinformation system security program.\xe2\x80\x9d\n\n\n                                                      i\n\x0c                                                                                      Independent Evaluation of\n                                                                       NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\n                 The agency continued to make significant progress in assessing and authorizing\n                 its systems.3 In FY 2011, the agency completed security assessment and\n                 authorization of two new agency systems, and completed security assessment and\n                 re-authorization of two existing agency systems, and one existing contractor\n                 system.4 As of the completion of fieldwork for FY 2011, all 22 operational NRC\n                 information systems and both systems used or operated by a contractor or other\n                 organization on behalf of the agency had a current authorization to operate.\n                 The agency completed or updated security plans for all of the agency\xe2\x80\x99s 22\n                 operational systems and for both contractor systems.\n                 The agency completed annual security control testing for all agency systems and\n                 for all contractor systems.\n                 The agency completed annual contingency plan testing for all agency systems and\n                 for all contractor systems, including updating the contingency plans.\n                 The agency issued several new or updated Computer Security Office processes\n                 and standards including the NRC Risk Management Framework (RMF) and\n                 Authorization Process (new), a series of standards defining the values NRC has\n                 assigned for the 17 families of security controls (new), the NRC System Back-up\n                 Standard (new), and the NRC Plan of Action and Milestones (POA&M) Process\n                 (updated).\n\n        Program Weaknesses\n\n        While the agency has continued to make improvements in its information system security\n        program and has made progress in implementing the recommendations resulting from\n        previous FISMA evaluations, the independent evaluation identified three information\n        system security program weaknesses.\n\n                 There is a repeat finding from several previous independent evaluations: the\n                 agency\xe2\x80\x99s POA&M program still needs improvement.\n                 The agency has not developed an organizationwide risk management strategy.\n                 Configuration management procedures are not consistently implemented.\n\nRECOMMENDATIONS\n\n        This report makes recommendations to the Executive Director for Operations to improve\n        NRC\xe2\x80\x99s information system security program and implementation of FISMA. A\n        consolidated list of recommendations appears on page 37 of this report.\n\n\n\n\n3\n  With the issuance of NIST SP 800-37, Revision 1, Guide for Applying the Risk Management Framework to\n  Federal Information Systems, the terms certification and accreditation are no longer being used. The new\n  terminology is security assessment and authorization.\n4\n  The Licensing Support Network was decommissioned subsequent to re-authorization. This system is no longer\n  included in the agency\xe2\x80\x99s inventory of contractor systems.\n\n\n                                                      ii\n\x0c                                                                          Independent Evaluation of\n                                                           NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\nAGENCY COMMENTS\n\n     At an exit conference on November 3, 2011, agency officials agreed with the report\xe2\x80\x99s\n     findings and recommendations and provided a few editorial changes, which the OIG\n     incorporated as appropriate. The agency opted not to submit formal comments.\n\n\n\n\n                                            iii\n\x0c                                            Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              iv\n\x0c                                                                         Independent Evaluation of\n                                                          NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\nABBREVIATIONS AND ACRONYMS\n\n\nASCT                Annual Security Control Testing\nATU                 Authorization to Utilize\nBIA                 Business Impact Assessment\nCarson Associates   Richard S. Carson and Associates, Inc.\nCFO                 Chief Financial Officer\nCIO                 Chief Information Officer\nCIS                 Center for Internet Security\nCISO                Chief Information Security Officer\nCPIC                Capital Planning and Investment Control\nCSIRT               Computer Security Incident Response Team\nCSO                 Computer Security Office\nDAA                 Designated Approving Authority\nDEDO                Deputy Executive Director for Operations\nDISA                Defense Information Systems Agency\nEDO                 Executive Director for Operations\nFDCC                Federal Desktop Core Configuration\nFIPS                Federal Information Processing Standard\nFISMA               Federal Information Security Management Act\nFY                  Fiscal Year\nGAO                 Government Accountability Office\nIM                  Information Management\nISSO                Information Systems Security Officer\nIT                  Information Technology\nITBC                IT/IM Business Council\nITSAC               IT/IM Senior Advisory Council\nITSPG               IT/IM Strategic Planning Group\nMD                  Management Directive\nMOU                 Memorandum of Understanding\nNIST                National Institute of Standards and Technology\nNRC                 Nuclear Regulatory Commission\nNSICD               NRC System Information Control Database\nOIG                 Office of the Inspector General\nOIS                 Office of Information Services\nOMB                 Office of Management and Budget\nPII                 Personally Identifiable Information\nPMM                 Project Management Methodology\n\n\n                                             v\n\x0c                                                            Independent Evaluation of\n                                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\nPOA&M     Plan of Action and Milestones\nRMF       Risk Management Framework\nSCAP      Security Content Automation Protocol\nSGI       Safeguards Information\nSP        Special Publication\nST&E      Security Test and Evaluation\nUS-CERT   United States Computer Emergency Readiness Team\nUSGCB     United States Government Configuration Baseline\n\n\n\n\n                                vi\n\x0c                                                                                                             Independent Evaluation of\n                                                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\nTABLE OF CONTENTS\n\n\nExecutive Summary ....................................................................................................... i\nAbbreviations and Acronyms ...................................................................................... v\n\n1 Background .............................................................................................................. 1\n2 Objective ................................................................................................................... 1\n3 Findings .................................................................................................................... 1\n  3.1 FISMA Systems Inventory .............................................................................. 2\n            The NRC System Inventory Meets FISMA Requirements .......................................................... 3\n    3.2     Risk Management (Question 1) ...................................................................... 4\n            The NRC Risk Management Program Needs Improvement ........................................................ 4\n            3.2.1 Risk Management Program ........................................................................... 5\n            NRC Has Not Developed an Organizationwide Risk Management Strategy .............................. 7\n            3.2.2 Risk Management Framework ....................................................................... 7\n            All Major Applications and General Support Systems Have Been Categorized in\n                 Accordance with NRC Policy .............................................................................................. 9\n            Security Plans Have Been Developed or Updated in Accordance with NRC Policy .................. 9\n            All Agency Systems Have a Current Authorization To Operate ................................................. 9\n    3.3     Configuration Management (Question 2) .................................................... 10\n            The NRC Security Configuration Management Program Is Generally Consistent with\n                FISMA Requirements, OMB Policy, and Applicable NIST Guidelines ............................ 10\n            Standard Baseline Configurations Are Not Implemented on Some NRC Systems ................... 12\n            Software Compliance Assessment Procedures Are Not Consistently Implemented ................. 13\n            Vulnerability Remediation and Patch Management Procedures Are Not Consistently\n                Implemented....................................................................................................................... 14\n    3.4     Incident Response and Reporting (Question 3) ......................................... 16\n            The NRC Incident Response and Reporting Program Is Generally Consistent with FISMA\n                Requirements, OMB Policy, and Applicable NIST Guidelines ......................................... 16\n    3.5     Security Training (Question 4) ..................................................................... 19\n            The NRC Security Training Program Is Generally Consistent with FISMA Requirements,\n                OMB Policy, and Applicable NIST Guidelines ................................................................. 19\n    3.6     POA&M (Question 5) ..................................................................................... 21\n            The NRC POA&M Program Needs Improvement .................................................................... 22\n            POA&Ms Do Not Include All Known Security Weaknesses .................................................... 24\n            Initial Target Remediation Dates Are Still Often Missed .......................................................... 24\n            POA&Ms Are Not Updated in a Timely Manner ...................................................................... 25\n    3.7     Remote Access (Question 6) ........................................................................ 25\n            The NRC Remote Access Program Is Generally Consistent with FISMA Requirements,\n                OMB Policy, and Applicable NIST Guidelines ................................................................. 25\n    3.8     Identity and Access Management Program (Question 7) .......................... 26\n\n\n                                                                       vii\n\x0c                                                                                                              Independent Evaluation of\n                                                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\n           The NRC Identity and Access Management Program Is Generally Consistent with FISMA\n               Requirements, OMB Policy, and Applicable NIST Guidelines ......................................... 27\n    3.9    Continuous Monitoring Management (Question 8) .................................... 28\n           The NRC Continuous Monitoring Program Is Generally Consistent with FISMA\n               Requirements, OMB Policy, and Applicable NIST Guidelines ......................................... 29\n           NRC Has Completed Annual Security Control Testing for All Agency and Contractor\n               Systems .............................................................................................................................. 30\n    3.10 Contingency Planning (Question 9)............................................................. 30\n           The NRC Business Continuity/Disaster Recovery Program Is Generally Consistent with\n               FISMA Requirements, OMB Policy, and Applicable NIST Guidelines ............................ 30\n           Annual Contingency Plan Testing Was Completed for All Agency Systems and All\n               Contractor Systems ............................................................................................................ 31\n    3.11 Contractor Systems (Question 10) .............................................................. 31\n           The NRC Contractor Oversight Program Is Generally Consistent with FISMA\n               Requirements, OMB Policy, and Applicable NIST Guidelines ......................................... 32\n           Agency Oversight of Contractor Systems Meets FISMA Requirements ................................... 33\n    3.12 Security Capital Planning (Question 11) ..................................................... 33\n           The NRC CPIC Program Is Generally Consistent with FISMA Requirements, OMB Policy,\n               and Applicable NIST Guidelines ....................................................................................... 33\n4 Consolidated List of Recommendations ............................................................. 37\n5 Agency Comments ................................................................................................ 39\n\n\nAppendix.                OBJECTIVE, SCOPE, AND METHODOLOGY ............................................ 41\n\n\n\nList of Tables\n\n    Table 3-1. Total Number of Agency and Contractor Systems and Number\n               Reviewed by FIPS 199 System Impact Level ................................................. 4\n\n\n\nList of Figures\n\n    Figure 1: Tiered Risk Management Approach (source: NIST SP 800-37, Revision 1).... 5\n    Figure 2: Risk Management Framework (source: NIST SP 800-37, Revision 1) ............. 8\n\n\n\n\n                                                                       viii\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\n1      Background\n\nOn December 17, 2002, the President signed the E-Government Act of 2002, which included the\nFederal Information Security Management Act (FISMA) of 2002. FISMA outlines the\ninformation security management requirements for agencies, which include an annual\nindependent evaluation of an agency\xe2\x80\x99s information security program and practices to determine\ntheir effectiveness. This evaluation must include testing the effectiveness of information security\npolicies, procedures, and practices for a representative subset of the agency\xe2\x80\x99s information\nsystems. FISMA requires the annual evaluation to be performed by the agency\xe2\x80\x99s Office of the\nInspector General (OIG) or by an independent external auditor. Office of Management and\nBudget (OMB) memorandum M-11-33, FY 2011 Reporting Instructions for the Federal\nInformation Security Management Act and Agency Privacy Management, dated September 14,\n2011, requires OIG to report their responses to OMB\xe2\x80\x99s annual FISMA reporting questions for\nOIGs via an automated collection tool.\n\nRichard S. Carson & Associates, Inc. (Carson Associates), performed an independent evaluation\nof the Nuclear Regulatory Commission\xe2\x80\x99s (NRC) implementation of FISMA for fiscal year (FY)\n2011. This report presents the results of that independent evaluation. Carson Associates also\nsubmitted responses to OMB\xe2\x80\x99s annual FISMA reporting questions for OIGs via OMB\xe2\x80\x99s\nautomated collection tool.\n\nThis report reflects the status of the agency\xe2\x80\x99s information security program for FY 2011.\n\n2      Objective\n\nThe objective of this review was to perform an independent evaluation of NRC\xe2\x80\x99s implementation\nof FISMA for FY 2011. The appendix contains a description of the evaluation objective, scope,\nand methodology.\n\n3      Findings\n\nOver the past 9 years, NRC has continued to make improvements to its information system\nsecurity program and continues to make progress in implementing the recommendations\nresulting from previous FISMA evaluations. The agency has accomplished the following since\nthe FY 2010 FISMA independent evaluation:\n\n       The agency continued to make significant progress in assessing and authorizing its\n       systems. In FY 2011, the agency completed security assessment and authorization of two\n       new agency systems, and completed security assessment and re-authorization of two\n       existing agency systems, and one existing contractor system. As of the completion of\n       fieldwork for FY 2011, all 22 operational NRC information systems and both systems\n       used or operated by a contractor or other organization on behalf of the agency had a\n       current authorization to operate.\n       The agency completed or updated security plans for all of the agency\xe2\x80\x99s 22 operational\n       systems and for both contractor systems.\n\n\n\n                                                 1\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\n       The agency completed annual security control testing for all agency systems and for all\n       contractor systems.\n       The agency completed annual contingency plan testing for all agency systems and for all\n       contractor systems, including updating the contingency plans.\n       The agency issued several new or updated Computer Security Office processes and\n       standards including the NRC Risk Management Framework (RMF) and Authorization\n       Process (new), a series of standards defining the values NRC has assigned for the 17\n       families of security controls (new), the NRC System Back-up Standard (new), and the\n       NRC Plan of Action and Milestones (POA&M) Process (updated).\n\n       While the agency has continued to make improvements in its information system security\n       program and has made progress in implementing the recommendations resulting from\n       previous FISMA evaluations, the independent evaluation identified three information\n       system security program weaknesses.\n\n               There is a repeat finding from several previous independent evaluations: the\n               agency\xe2\x80\x99s POA&M program still needs improvement.\n               The agency has not developed an organizationwide risk management strategy.\n               Configuration management procedures are not consistently implemented.\n\nThe following sections present the detailed findings from the independent evaluation and are\norganized based on the OIG section of the OMB FISMA reporting tool. Beginning with Section\n3.2, each major section corresponds to a question or set of questions from the OIG section of the\nOMB FISMA reporting tool. Findings are presented in the sections to which they are relevant.\n\n3.1    FISMA Systems Inventory\n\nFISMA requires agencies to develop and maintain an inventory of major information systems\n(including major national security systems) operated by or under control of the agency. The\ninventory must include an identification of the interfaces between each such system and all other\nsystems or networks, including those not operated by or under the control of the agency. The\ninventory must be updated at least annually and must also be used to support information\nresources management. National Institute of Standards and Technology(NIST) Special\nPublication (SP) 800-53, Recommended Security Controls for Federal Information Systems and\nOrganizations, control PM-5, Information System Inventory, requires organizations to develop\nand maintain an inventory of its information systems.\n\nManagement Directive (MD) and Handbook 12.5, NRC Automated Information Security\nProgram, also define requirements for the agency\xe2\x80\x99s inventory of automated information systems.\nThe agency\xe2\x80\x99s inventory must identify all interfaces between each system and all other systems\nand networks, including those not operated by or under the control of the agency.\n\n\n\n\n                                                2\n\x0c                                                                                           Independent Evaluation of\n                                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\nThe NRC System Inventory Meets FISMA Requirements\n\nPrevious FISMA independent evaluations found that the agency\xe2\x80\x99s official inventory repository,\nNRC System Information Control Database (NSICD), did not include complete interface\ninformation and that the majority of the interface in NSICD was inconsistent with information\nincluded in information technology (IT) security documentation, as well as with interface\ninformation within NSICD. While interface information can be found in other locations and\ndocumentation, FISMA requires that the inventory \xe2\x80\x9cmust include an identification of the\ninterfaces between each such system and all other systems or networks, including those not\noperated by or under the control of the agency.\xe2\x80\x9d In response to recommendations from previous\nindependent evaluations, the agency updated NSICD to include interface information for all\nsystems in the NRC inventory. The agency also updated a guide for the Computer Security\nOffice (CSO) administrative staff for entering data into security records within NSICD to ensure\ninterface information is consistent with interface information in security plans and risk\nassessments and to ensure interface information is kept up-to-date. The agency\xe2\x80\x99s continuous\nmonitoring program also includes requirements for reviewing system interfaces.\n\nCarson Associates reviewed security plans for 22 systems to identify the interfaces for those\nsystems. Carson Associates then reviewed the records for those systems in NSICD to determine\nif the agency\xe2\x80\x99s inventory included the interfaces identified in the security plans. Carson\nAssociates also analyzed the interface information in NSICD for consistency within the\ninventory.\n\nAs of completion of fieldwork, NRC had 22 operational systems that fall under FISMA reporting\nrequirements.5 Of the 22, 10 are general support systems,6 and 12 are major applications.7 NRC\nhad two systems operated by a contractor or other organization on behalf of the agency (two\ngeneral support systems). Of the two, one is operated by a federally funded research and\ndevelopment center, and one is operated by a private contractor. As required by FISMA, Carson\nAssociates selected a subset of NRC systems and contractor systems for evaluation during the\nFY 2011 FISMA independent evaluation. Subsequent to the start of field work, the contractor\nsystem selected for evaluation was decommissioned by the agency. Therefore, no contractor\nsystems were included in the FY 2011 evaluation.\n\n\n\n\n5\n  NRC also has a number of major applications and general support systems currently in development. For FISMA\n  reporting purposes, only operational systems are considered.\n6\n  A general support system is an interconnected set of information resources under the same direct management\n  control that share common functionality. Typical general support systems are local and wide area networks,\n  servers, and data processing centers.\n7\n  A major application is a computerized information system or application that requires special attention to security\n  because of the risk and magnitude of harm that would result from the loss, misuse, or unauthorized access to or\n  modification of the information in the application.\n\n\n                                                          3\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\n                   Table 3-1. Total Number of Agency and Contractor Systems\n                                      and Number Reviewed\n                                by FIPS 199 System Impact Level\n                                                                             Total Number of\n                                                                            Systems (Agency\n                           Agency Systems        Contractor Systems\n                                                                             and Contractor\n                                                                                Systems)\n      FIPS 199 System     Total     Number        Total      Number         Total        Number\n        Impact Level     Number    Reviewed      Number     Reviewed       Number       Reviewed\n           High             9          1            1            0            10             1\n         Moderate           13         2            1            0            14             2\n           Low              0          0            0            0             0             0\n      Not Categorized       0          0            0            0             0             0\n           Total            22         3            2            0            24             3\n\nNOTE: The agency is in the process of reorganizing some of its infrastructure systems by\nconsolidating one existing system into another existing system and is also separating a portion of\nthat same existing system into a new, separate system. The existing system is in the process of\nbeing re-authorized to operate to reflect the changes and the new system is also in the process of\nbeing authorized to operate as a separate system. As a result of this reorganization, the number\nof reportable systems at the agency will remain at 24.\n\n3.2      Risk Management (Question 1)\n\nFISMA requires agencies to perform periodic assessments of the risk and magnitude of harm that\ncould result from the unauthorized access, use, disclosure, disruption, modification, or\ndestruction of information and information systems that support the operations and assets of the\nagency. NIST SP 800-37, Revision 1, Guide for Applying the Risk Management Framework to\nFederal Information Systems: A Security Life Cycle Approach, describes both the risk\nmanagement framework (formerly referred to as certification and accreditation) and the concept\nof integrated organizationwide risk management.\n\nThe NRC Risk Management Program Needs Improvement\n\nIn order to evaluate the agency\xe2\x80\x99s risk management program, Carson Associates reviewed NRC\npolicies, procedures, and guidance specific to risk management and the risk management\nframework. We also reviewed the annual security control testing (ASCT) report for the agency\xe2\x80\x99s\ncommon controls, as risk management strategy (PM-8), the security authorization process (PM-\n10), and mission/business process definition (PM-11), are provided at the agency level for all\nNRC information systems.\n\nThe agency has established and is maintaining a risk management program that is consistent with\nFISMA requirements, OMB policy, and applicable NIST guidelines. However, the agency has\nnot developed an organizationwide risk management strategy in accordance with Government\npolicies.\n\n\n                                                4\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\n3.2.1 Risk Management Program\n\nNIST SP 800-37, Revision 1, introduces the concept of integrated organizationwide risk\nmanagement. The three-tiered approach to risk management addresses risk-related concerns at\n(i) the organization level (Tier 1 \xe2\x80\x93 Governance), (ii) the mission and business process level (Tier\n2 \xe2\x80\x93 Information and Information Flows), and (iii) the information system level (Tier 3 \xe2\x80\x93\nEnvironment of Operation) (see Figure 1). Risk decisions at Tiers 1 and 2 impact the ultimate\nselection and deployment of needed safeguards and countermeasures (i.e., security controls) at\nthe information system level.\n\n\n\n\n    Figure 1: Tiered Risk Management Approach (source: NIST SP 800-37, Revision 1)\n\nNIST SP 800-39, Managing Information Security Risk: Organization, Mission, and Information\nSystem View, provides additional guidance for developing and implementing an integrated,\norganizationwide program for managing information security risk to organizational operations\n(i.e., mission, functions, image, and reputation), organizational assets, individuals, other\norganizations, and the Nation resulting from the operation and use of Federal information\nsystems. This publication describes appropriate governance structures for providing oversight\nfor the risk management activities conducted by an organization and further expands on the role\nof the risk executive (function).\n\nDocumented Policies and Procedures\n\nThe agency\xe2\x80\x99s risk management program includes documented and centrally accessible policies\nand procedures for risk management, including descriptions of the roles and responsibilities of\nparticipants in this process. MD and Handbook 12.5 describe the agency\xe2\x80\x99s IT security program,\nincluding aspects of risk management. This policy states that information security protections\nshall be commensurate with the risk and magnitude of the harm resulting from unauthorized\naccess, use, disclosure, disruption, modification, or destruction of information or information\nsystems that are operated, maintained, or sponsored by the agency. It states that security risks\nmust be managed in a way that complements and does not unnecessarily impede agency business\noperations. By understanding risks and implementing an appropriate level of cost-effective\n\n\n                                                 5\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\ncontrols, NRC can significantly reduce risk and potential loss. MD and Handbook 12.5 define\norganizational responsibilities for implementing the agency\xe2\x80\x99s IT security program, including risk\nmanagement. MD and Handbook 12.5 require security plans to include a strategy for risk\nmanagement and that significant risks should be identified, along with responsibilities and\nmitigation strategies to reduce the security risks. MD and Handbook 12.5 also describe the\nprocess for identifying risk for an automated information system.\n\nMD and Handbook 2.8, Project Management Methodology (PMM), and the agency\xe2\x80\x99s PMM Web\nsite include policies and procedures for ensuring that IT investments are planned, built, selected,\nmanaged, and evaluated to maximize the value and minimize the risks of those investments in\naccordance with Federal statutes and regulations. The PMM states risk management must be\napplied to all IT projects throughout the life cycle and that risks to project success must be\nidentified early and managed before they become problems.\n\nThe PMM also includes an IT capital planning and investment control (CPIC) program to ensure\nmanagement of IT investments through the research, selection, control, and evaluation phases of\nthe investment life cycle. Participants in the CPIC program provide governance at the\norganizational level to ensure risk is addressed from an organizational perspective. These\nparticipants include the Executive Director for Operations (EDO) and Chief Financial Officer\n(CFO), the Chief Information Officer (CIO), the Program Review Committee, the IT/Information\nManagement (IM) Senior Advisory Council (ITSAC), the IT/IM Strategic Planning Group\n(ITSPG), the IT/IM Business Council (ITBC), the Enterprise Configuration Control Board, and\nthe Deputy Executive Directors for Operations (DEDO) as the Designated Approving\nAuthorities (DAA).\n\nThe NRC CPIC process, a component of the PMM, addresses NRC mission business needs,\nprocesses, and process impacts for information security risk. Business sponsors must identify\nbusiness needs, business processes, business process impacts, alignment with the NRC Strategic\nPlan and Enterprise Architecture, and security considerations in the Vision and Business Case\ndocuments. These documents must be reviewed and assessed by the ITBC and approved by the\nCIO or the Office of Information Services (OIS) in order to receive approval to proceed to the\nnext phase of the CPIC and PMM processes.\n\nThe first step of the risk management framework, categorize, documents information protection\nneeds arising from the defined business processes. Information types are mapped to the Business\nArea, Line of Business, and Sub-Function from the Federal Enterprise Architecture Business\nReference Model listed in the Business Case and associated impact levels are assessed in\naccordance with NIST SP 800-60, Guide for Mapping Types of Information and Information\nSystems to Security Categories, Volumes I and II, and Federal Information Processing Standard\n(FIPS) 199, Standards for Security Categorization of Federal Information and Information\nSystems. Security categorizations are reviewed and must be approved by CSO in order for the\nproject to proceed to the next step in the risk management framework.\n\nRisk is addressed from an information system perspective as part of the NRC Risk Management\nFramework (RMF), which focuses on identifying information system risk throughout the system\ndevelopment life cycle. The RMF is guided by risk decisions at the organizational perspective\n\n\n\n                                                 6\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\nand the mission/business perspective. For example the selection of agencywide common\ncontrols at the organizational level guides the implementation of system level controls. The\nagency conducts system-specific risk assessments as part of the security assessment and\nauthorization process and updates them as part of the agency\xe2\x80\x99s continuous monitoring process.\n\nCommunication of Risk\n\nSystem specific risks are reported via quarterly POA&M updates and security assessment\nbriefings to office directors and DAAs. Mission/business specific risks are communicated at the\nmonthly ITBC meeting, semiannual ITSAC meeting, and monthly senior executives meetings.\nThe CIO briefs the Chief Information Security Officer (CISO) and other Office Directors on\norganizational level risks semi-annually during the ITSAC meeting. Senior officials are also\nbriefed on threat activity on a regular basis by appropriate personnel. The briefings occur at least\nmonthly. Senior officials are briefed by the CISO, OIS Security Operations, the CSO FISMA\nCompliance and Oversight Team, and CSO Cyber Situational Awareness, Analysis, and\nResponse Team.\n\nNRC Has Not Developed an Organizationwide Risk Management Strategy\n\nNIST SP 800-53, control PM-9, Risk Management Strategy, requires organizations to (i) develop\na comprehensive strategy to manage risk to organizational operations and assets, individuals,\nother organizations, and the Nation associated with the operation and use of information systems\nand (ii) implement that strategy consistently across the organization. While the agency has a\ngovernance structure in place at the organizational level to ensure risk is addressed from an\norganizational perspective, it has not developed or implemented an organizationwide risk\nmanagement strategy in accordance with government policies.\n\nRECOMMENDATION\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   1. Develop and implement an organizationwide risk management strategy that is consistent\n      with NIST SP 800-37 and NIST SP 800-39.\n\n3.2.2 Risk Management Framework\n\nNIST SP 800-37, Revision 1, also provides guidelines for applying the RMF, which provides a\ndisciplined and structured process that integrates information security and risk management\nactivities into the system development life cycle (see Figure 2). The RMF operates primarily at\nTier 3 in the risk management hierarchy but can also have interactions at Tiers 1 and 2 (e.g.,\nproviding feedback from ongoing authorization decisions to the risk executive, dissemination of\nupdated threat and risk information to authorizing officials and information system owners). The\nRMF replaces the process formerly known as certification and accreditation.\n\n\n\n\n                                                 7\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\n\n\n       Figure 2: Risk Management Framework (source: NIST SP 800-37, Revision 1)\n\nNIST SP 800-37, Revision 1, describes the process of applying the RMF to Federal information\nsystems and includes a set of well-defined tasks for completing each step of the framework. The\ndocument also describes the various roles and responsibilities of key participants in the\norganization\xe2\x80\x99s risk management process (e.g., risk executive (function), authorizing official,\nauthorizing official designated representative, chief information officer, senior information\nsecurity officer, enterprise architect, information security architect, information owner/steward,\ninformation system owner, common control provider, information system security officer, and\nsecurity control assessor).\n\nSecurity authorization is the official management decision, conveyed through the authorization\ndecision document, given by a senior organizational official or executive (i.e., authorizing\nofficial) to authorize operation of an information system and to explicitly accept the risk to\norganizational operations and assets, individuals, other organizations, and the Nation based on\nthe implementation of an agreed-upon set of security controls. Through the security\nauthorization process, authorizing officials are accountable for the security risks associated with\ninformation system operations.\n\nDocumented Policies and Procedures\n\nThe NRC risk management program includes documented and centrally accessible policies and\nprocedures for risk management, including descriptions of the roles and responsibilities of\nparticipants in this process, specifically the agency\xe2\x80\x99s risk management framework policies and\nprocedures. The NRC RMF and Authorization Process describes the process for applying the\nNIST SP 800-37 risk management framework to secure NRC systems, including the steps\n\n\n\n                                                 8\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\nrequired to obtain IT system authorization and authorization for IT systems, applications,\nlaptops, services, and facilities.\n\nThe CSO Web site, specifically the Certification and Accreditation Deliverables page is in the\nprocess of being updated for consistency with the new RMF process and the PMM Web site will\nbe updated to point to the RMF process. The PMM Web site includes workflows for the security\nassessment and authorization process and the continuous monitoring process. Each workflow\nincludes a work breakdown structure, team allocations, and work product usage information.\nThe PMM Web site includes templates for all required RMF artifacts. The PMM Web site also\nincludes guidance on the use of common and inheritable controls.\n\nIn order to determine if the agency\xe2\x80\x99s risk management framework is consistently implemented,\nCarson Associates reviewed the security assessment and authorization documents for the three\nsystems selected for evaluation during the FY 2011 independent evaluation and found that the\ndocuments were in compliance with agency policy, with a few minor deviations. The agency has\nbeen provided detailed information on any deviations from policy that were identified. We also\nfound that security assessment reports are in accordance with Government policies; accreditation\nboundaries for agency information systems are defined in accordance with Government policies;\nand security authorization packages contain a system security plan, security assessment report,\nand POA&M in accordance with Government policies. Carson Associates also reviewed the\nsecurity categorizations, security plans, and authorization to operate memoranda for all agency\nsystems and found that (1) all major applications and general support systems have been\ncategorized in accordance with NRC policy, (2) security plans have been developed or updated\nin accordance with NRC policy, and (3) all agency systems have a current authorization to\noperate.\n\nAll Major Applications and General Support Systems Have Been Categorized in\nAccordance with NRC Policy\n\nThe agency has completed or updated security categorizations for all major applications and\ngeneral support systems, including those operated by a contractor or other organization on the\nbehalf of the agency.\n\nSecurity Plans Have Been Developed or Updated in Accordance with NRC Policy\n\nThe agency completed or updated security plans for all of the agency\xe2\x80\x99s 22 operational systems\nand for both contractor systems.\n\nAll Agency Systems Have a Current Authorization To Operate\n\nThe agency continued to make significant progress in assessing and authorizing its systems. In\nFY 2011, the agency completed security assessment and authorization of two new agency\nsystems, and completed security assessment and re-authorization of two existing agency systems,\nand one existing contractor system. As of the completion of fieldwork for FY 2011, all 22\noperational NRC information systems and both systems used or operated by a contractor or other\norganization on behalf of the agency had a current authorization to operate.\n\n\n\n                                                9\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\n3.3    Configuration Management (Question 2)\n\nFISMA requires agencies to develop policies and procedures that ensure compliance with\nminimally acceptable system configuration requirements as determined by the agency. NIST SP\n800-53 requires organizations to: (1) establish mandatory configuration settings for information\ntechnology products employed within the information system, (2) configure the security settings\nof information technology products to the most restrictive mode consistent with operational\nrequirements, (3) document the configuration settings, and (4) enforce the configuration settings\nin all components of the information system.\n\nThe NRC Security Configuration Management Program Is Generally Consistent with\nFISMA Requirements, OMB Policy, and Applicable NIST Guidelines\n\nIn order to evaluate the agency\xe2\x80\x99s security configuration management program, Carson Associates\nreviewed:\n\n       Configuration management processes and procedures located on the NRC PMM Web\n       site.\n       Security assessment and authorization documents for the three systems selected for\n       evaluation during the FY 2011 independent evaluation.\n       ASCT results for agency and contractor systems, specifically the results for controls\n       related to configuration management.\n\nThe agency has established and is maintaining a configuration management program that is\nconsistent with FISMA requirements, OMB policy, and applicable NIST guidelines. However,\nCarson Associates found that configuration management procedures are not consistently\nimplemented. Specifically, (i) standard baseline configurations are not implemented on some\nNRC systems; (ii) software compliance assessment procedures are not consistently implemented;\nand (iii) vulnerability remediation and patch management procedures are not consistently\nimplemented.\n\nDocumented Policies and Procedures\n\nThe agency\xe2\x80\x99s security configuration management program includes documented policies and\nprocedures for configuration management. MD and Handbook 2.8 describe the agency\xe2\x80\x99s project\nmanagement policy, which includes configuration and change management. The purpose of\nchange management is to identify configuration items, manage baselines and changes to\nconfiguration items, audit changes to configuration items, and define and manage baselines of\nconfiguration items. Central configuration is considered a key supporting element for the PMM\nand office directors and regional administrators are required to keep the NRC\xe2\x80\x99s central\nconfiguration management system (Rational ClearCase) current.\n\nThe PMM Web site provides additional details on the PMM and includes descriptions and a\nwork breakdown structure for each phase of the PMM life cycle. Planning a project\xe2\x80\x99s\nconfiguration management and change control is part of the first phase of the life cycle.\nManaging change requests and baselines is part of all phases of the life cycle. To support\n\n\n                                               10\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\nconfiguration management and change control, the PMM Web site also provides several tools\nand documents including additional guidance and instructions on using the agency\xe2\x80\x99s central\nconfiguration management system, as well as training presentations and exercises. The agency\nalso has a template for developing system-specific configuration management plans.\n\nNRC also maintains an agency Master Configuration Management Plan on the PMM Web site\nthat defines the configuration management procedures for NRC projects from inception to\ndecommissioning. The Master Configuration Management Plan outlines the use of the agency\xe2\x80\x99s\ncentral configuration management system for version control and change management for all\nsoftware projects at NRC.\n\nFederal Desktop Core Configuration (FDCC)/United States Government Configuration Baseline\n(USGCB) Secure Configurations\n\nThe agency\xe2\x80\x99s security configuration management program includes a process for ensuring,\nFDCC/USGCB secure configuration settings for Windows-based components are fully\nimplemented, and any deviations from FDCC/USGCB baseline settings are fully documented.\nOIS procedures require the use of standard images for desktop and laptop computers. All\ncomputers connected to the NRC network receive FDCC settings through the use of group policy\nobject settings and are configured to FDCC standards during computer build-out. Computers\nthat are not attached to the network (standalone systems) are loaded with these controls as part of\nthe standard configuration image and additional controls are implemented through local security\npolicy.\n\nThe agency\xe2\x80\x99s continuous monitoring process requires hardening checks at least on an annual\nbasis, if not more frequently depending on the system sensitivity level. The continuous\nmonitoring process also requires each office and its respective systems to undergo continuous\nmonitoring reviews, conducted by the CSO, once per fiscal year. During the review, CSO\nsupport personnel verify the FDCC settings for the office\xe2\x80\x99s laptops and standalone PCs.\n\nIn addition, the agency has deployed SCAP scanning tools to verify that the agency is compliant\nwith FDCC during security assessment and authorization. Offices and regions are required to\nensure all laptops belonging to their office/region comply with FDCC standards by performing\nscans with approved SCAP tools. NRC conducts monthly FDCC compliance checks on all\nnetworked computers using nCircle. Non-networked computers, such as standalone laptops, are\nscanned for FDCC compliance using ThreatGuard.\n\nIn response to a recommendation regarding the implementation of FDCC at NRC from the FY\n2008 FISMA independent evaluation, the CSO in coordination with OIS has developed the\nfollowing standards and provided them on the CSO Web page:\n\n       Configuration standards for NRC laptops.\n       Guidance for general laptops.\n       Procedures for applying critical updates to Safeguards Information (SGI) laptops.\n       An SGI Stand Alone Listed System Minimum Security Checklist to ensure appropriate\n       laptop configuration.\n\n\n                                                11\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\n       Standard system security plans for NRC laptops.\n       Laptop security policy provided via memo to office directors and regional administrators\n       and Yellow Announcement to staff.\n\nChanges to Hardware and Software Configurations\n\nThe agency\xe2\x80\x99s security configuration management program includes documented proposed or\nactual changes to hardware and software configurations. The NRC PMM process requires all\nrequests for changes to be submitted via Change Requests, which are submitted by certain NRC\nend users, Business Sponsors, or Task Order Managers through the agency\xe2\x80\x99s central\nconfiguration management tool. The PMM process also describes the steps for reviewing and\nresponding to Change Requests, making iterative updates to the configuration baseline, and\nreporting configuration status. Configuration Management Boards convene at least quarterly and\nfor emergency changes and coordinate and provide oversight for configuration change control\nactivities.\n\nTo determine if the agency documents proposed or actual changes to configuration settings,\nCarson Associates reviewed security test and evaluation (ST&E) results for the three systems\nselected for evaluation in FY 2011, and ASCT results for agency and contractor systems,\nspecifically the test results for CM-3 control, Configuration Change Control. This control\nrequires organizations to authorize, document, and control changes to the information system.\nThe agency\xe2\x80\x99s security configuration management program includes documented proposed or\nactual changes to hardware and software configurations. ASCT and ST&E found this control to\nbe in place for all three systems selected for evaluation in FY 2011 and for all but two of the\nremaining NRC systems. For one of those systems, the control is partially in place. For that\nsystem, the agency has documented proposed or actual changes to configuration settings, but is\ncurrently not auditing those activities.\n\nStandard Baseline Configurations Are Not Implemented on Some NRC Systems\n\nThe agency\xe2\x80\x99s security configuration management program includes standard baseline\nconfiguration definitions. The CSO has developed standard baseline configurations for software\n(e.g., operating systems, databases, browsers), hardware (e.g., Blackberries, thumb drives,\nlaptops, printers), and other technologies (e.g., Web 2.0, YouTube, Twitter, Citrix) in use at the\nagency. CSO-defined configuration standards are used as system baseline configurations for any\ninformation system that stores, transmits/receives, or processes NRC information. In the absence\nof CSO configuration standard, the agency allows Defense Information Systems Agency (DISA)\nstandards, checklists, and guidance to be used. In the absence of both CSO and DISA\nconfiguration information, the agency allows Center for Information Security (CIS) benchmarks\nto be used.\n\nTo determine if standard baseline configurations are implemented on NRC systems, Carson\nAssociates reviewed ST&E results and vulnerability assessment reports prepared in support of\nST&E for the three systems selected for evaluation in FY 2011. We also reviewed ASCT results\nfor agency and contractor systems, specifically the test results for CM-2, Baseline Configuration,\nand CM-6, Configuration Settings. CM-2 requires organizations to develop, document, and\n\n\n                                                12\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\nmaintain under configuration control, a current baseline configuration of the information system,\nand CM-6 requires organizations to establish and document mandatory configuration settings for\ninformation technology products employed within an information system.\n\nDespite the agency\xe2\x80\x99s requirement to use standard baseline configurations for any information\nsystem that stores, transmits/receives, or processes NRC information, baseline configurations are\nnot implemented on some NRC systems. Vulnerability scanning performed as part of ST&E\n(conducted in support of the security assessment and authorization process) and ASCT identified\nnumerous vulnerabilities that demonstrate non-compliance with required baseline configurations\nin several systems \xe2\x80\x93 both legacy systems and a new system. These are vulnerabilities that have\nbeen identified by the agency as actual weaknesses requiring remediation and are being tracked\non the agency\xe2\x80\x99s POA&M. In addition, ASCT found that configuration baselines and settings had\nnot been documented for one system and that the system was not configured in compliance with\nagency requirements, even though this system has been in operation for many years. While a\nnumber of these vulnerabilities have been corrected since initially identified, there are still\nseveral on the POA&M that have not been corrected, including several identified by the agency\nduring their 4th quarter FY 2010 scan of one system that have yet to be remediated. The number\nof actual weaknesses requiring remediation related to the implementation and documentation of\nstandard baseline configurations indicates the agency needs to improve its configuration\nmanagement procedures to ensure the NRC standard baselines are consistently implemented for\nall systems and to ensure baseline configurations are documented for all systems.\n\nRECOMMENDATIONS\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   2. Revise existing configuration management procedures to include performance measures\n      and/or monitoring procedures to ensure standard baseline configurations are implemented\n      for all systems.\n   3. Revise existing configuration management procedures to include performance measures\n      and/or monitoring procedures to ensure baseline configurations are documented for all\n      systems.\n\nSoftware Compliance Assessment Procedures Are Not Consistently Implemented\n\nThe agency\xe2\x80\x99s configuration management program includes procedures for assessing software for\ncompliance with baseline configurations. The agency performs a vulnerability assessment before\na system is connected to the NRC production environment, and during ST&E performed as part\nof security assessment and authorization. Testing includes vulnerability scans, penetration tests,\nand hardening checks using a variety of tools, such as nCircle, CIS benchmarks, the CORE\nImpact penetration testing tool, DISA Gold Disk, NRC hardening guides, Nessus vulnerability\nscanner, and the Secutor Prime vulnerability scanner.\n\nThe agency\xe2\x80\x99s continuous monitoring process requires networked-based scans and wireless scans,\nat least on an annual basis if not more frequently, depending on the system sensitivity level.\n\n\n\n\n                                                13\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\nSystem owners must provide evidence of periodic scanning to the CSO on the 15th of November,\nFebruary, May, and August.\n\nTo determine if software compliance assessment procedures are consistently implemented,\nCarson Associates reviewed ST&E results and vulnerability assessment reports prepared in\nsupport of ST&E for the three systems selected for evaluation in FY 2011. We also reviewed\nASCT results for agency and contractor systems, specifically the test results for CM-6,\nConfiguration Settings, and RA-5, Vulnerability Scanning. CM-6 requires organizations to\nestablish and document mandatory configuration settings for information technology products\nemployed within an information system and RA-5 requires organizations to scan for\nvulnerabilities in information systems and hosted applications.\n\nDespite agency requirements and existing procedures for assessing for compliance with baseline\nconfigurations, software compliance assessment procedures are not consistently implemented.\nFor one system, ASCT found no evidence any vulnerability scans had been done on that system,\neven though the system has been in operation for many years. For another system that also has\nbeen in operation for many years, ST&E performed in support of the re-authorization of the\nsystem found that while vulnerability scans are conducted continuously as part of the agency\xe2\x80\x99s\ncontinuous monitoring program, additional scans conducted during the ST&E found numerous\nvulnerabilities on servers at headquarters and in the regions. The ST&E testers\xe2\x80\x99 finding, as\nstated in their report, was that \xe2\x80\x9ceither not all the segments were included in the automated\ncontinuous monitoring scans and/or scan results from nCircle were not accessible to appropriate\npersonnel for prompt remediation.\xe2\x80\x9d The fact that recent ST&E and ASCT activities have\nidentified a number of vulnerabilities in systems that have been operational for many years\nindicates the agency needs to improve its configuration management procedures to ensure\nsoftware compliance assessments, including vulnerability scans, are performed as required and to\nensure all system components are included in requisite software compliance assessments.\n\nRECOMMENDATIONS\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   4. Revise existing configuration management procedures to include performance measures\n      and/or monitoring procedures to ensure software compliance assessments, including\n      vulnerability assessments, are performed as required: (i) before a system is connected to\n      the NRC production environment, (ii) during security test and evaluation of systems, and\n      (iii) as part of the agency\xe2\x80\x99s continuous monitoring environment.\n   5. Revise existing configuration management procedures to include performance measures\n      and/or monitoring procedures to ensure all system components are included in requisite\n      software compliance assessments.\n\nVulnerability Remediation and Patch Management Procedures Are Not Consistently\nImplemented\n\nThe agency\xe2\x80\x99s configuration management program includes a process for timely remediation of\nvulnerabilities, including configuration-related vulnerabilities and scan findings, and for the\n\n\n\n                                                14\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\ntimely and secure installation of software patches. System owners are required to patch, scan,\nand check the security of their systems with the rigor and frequency appropriate for the system\nsensitivity level and to define the frequency for conducting routine patching. NRC requires\nlegitimate vulnerabilities to be remediated in accordance with an organizational assessment of\nrisk and within the following timeframes:\n\n       Within 7 calendar days for critical findings.\n       Within 30 calendar days for high risk findings.\n       Within 90 calendar days for moderate risk findings.\n       Within 120 calendar days for low risk findings.\n\nNRC also requires system owners to ensure automated mechanisms are employed quarterly to\ndetermine the state of information system components with regard to flaw remediation.\n\nTo evaluate the agency\xe2\x80\x99s procedures for vulnerability remediation and patch management,\nCarson Associates reviewed ST&E results for the three systems selected for evaluation in FY\n2011, and ASCT results for agency and contractor systems, specifically the test results for RA-5,\nVulnerability Scanning, and SI-2, Flaw Remediation. RA-5 requires organizations to scan for\nvulnerabilities in information systems and hosted applications and SI-2 requires organizations to\nidentify, report, and correct information system flaws.\n\nDespite the existence of configuration management procedures regarding vulnerability\nremediation and patch management, vulnerabilities, including configuration-related\nvulnerabilities, scan findings, and security patch-related vulnerabilities, are not always\nremediated in a timely manner. ST&E and ASCT of some systems that have been in operation\nfor many years found that a number of vulnerabilities found during previous scans had not been\nremediated within the timeframes required by the agency. In addition, ST&E of two systems\nfound that servers were missing required upgrades or patches. Both of these systems have been\noperational for many years as well. ST&E of one system found that many components had never\nbeen hardened or scanned in the past and many patches (old and new) had not been installed.\nST&E of the other system found similar issues and the ST&E report recommended the agency\ndetermine the root causes for not promptly identifying, reporting, and correcting information\nflaws, as the same problem was encountered during the previous ST&E performed on the system\nin 2009. The ST&E report also noted that the numerous security patch-related vulnerabilities\nidentified during ST&E may be a result of either the agency\xe2\x80\x99s enterprise-wide patching solution\nnot being properly configured to detect missing patches or personnel responsible for these\nsystem components not manually requesting the patches from the enterprise-wide patching\nsolution.\n\nThe fact that recent ST&E and ASCT activities have identified problems with the timely\nremediation of vulnerabilities in more than one operational system indicates the agency needs to\nimprove its configuration management procedures to ensure all identified vulnerabilities,\nincluding configuration-related vulnerabilities, scan findings, and security patch-related\nvulnerabilities, are remediated in a timely manner in accordance with the timeframes established\nby NRC.\n\n\n\n                                                15\n\x0c                                                                                          Independent Evaluation of\n                                                                           NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\nRECOMMENDATION\n\n      The Office of the Inspector General recommends that the Executive Director for Operations:\n\n      6. Revise existing configuration management procedures to include performance measures\n         and/or monitoring procedures to ensure all identified vulnerabilities, including\n         configuration-related vulnerabilities, scan findings, and security patch-related\n         vulnerabilities, are remediated in a timely manner in accordance with the timeframes\n         established by NRC.\n\n3.4        Incident Response and Reporting (Question 3)\n\nFISMA requires agencies to develop, document, and implement an agencywide information\nsecurity program that includes procedures for detecting, reporting, and responding to security\nincidents. NIST SP 800-53 requires organizations to (1) implement an incident handling\ncapability for security incidents that includes preparation, detection and analysis, containment,\neradication, and recovery; (2) track and document information system security incidents; (3)\nreport security incident information to designated authorities; and (4) develop an incident\nresponse plan that provides the organization with a roadmap for implementing its incident\nresponse capability.\n\nThe NRC Incident Response and Reporting Program Is Generally Consistent with FISMA\nRequirements, OMB Policy, and Applicable NIST Guidelines\n\nIn order to evaluate the agency\xe2\x80\x99s security incident reporting program, Carson Associates\nreviewed NRC policies, procedures, and guidance specific to incident response and reporting.\nWe also reviewed the ASCT report for the agency\xe2\x80\x99s common controls, as incident response\npolicies and procedures are provided at the agency level for all NRC information systems, and\ninterviewed personnel responsible for implementing incident response policies and procedures.\nWe determined that the agency has established and is maintaining an incident response and\nreporting program that is consistent with FISMA requirements, OMB policy, and applicable\nNIST guidelines.\n\nDocumented Policies and Procedures\n\nThe agency\xe2\x80\x99s incident response and reporting program includes documented policies and\nprocedures for detecting, responding to, and reporting incidents. MD and Handbook 12.5,\nAppendix B, formalizes the agency\xe2\x80\x99s procedures for monitoring, detecting, reporting, and\nresponding to information systems security incidents. It also provides the requirements and\nprocedures for reporting incidents internally, for reporting to the United States Computer\nEmergency Readiness Team (US-CERT),8 and for reporting to law enforcement. The MD\ndefines the roles and responsibilities for reporting and responding to information systems\nsecurity incidents.\n\n8\n    The procedures actually reference reporting to the Federal Computer Incident Response Center, which was\n    replaced with the US-CERT when the Department of Homeland Security was established. Newer NRC\n    procedures properly refer to US-CERT.\n\n\n                                                         16\n\x0c                                                                                           Independent Evaluation of\n                                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\nOn May 2, 2008, the agency issued a revised policy on computer security incident response and\npersonally identifiable information (PII) incident response. The policy provides direction for\nresponding to computer security incidents affecting the NRC\xe2\x80\x99s systems, networks, and users, as\nwell as PII incidents and will be included in the next revision of MD and Handbook 12.5. The\nrevised policy contains timeframes for responding to such incidents, based on the criticality of\nthe affected resources and the incident; formally establishes a Computer Security Incident\nResponse Team (CSIRT) to respond to such incidents; and outlines the CSIRT\xe2\x80\x99s security\nincident response process. The CSIRT will include staff from the following offices: Computer\nSecurity Office, Office of Information Services, Office of Administration, and Office of Nuclear\nSecurity and Incident Response. The policy also specifies when the OIG should be involved in\naddressing a computer security incident.\n\nIn addition to issuing the revised policy on computer security incident response and PII incident\nresponse and forming CSIRT, the agency developed the following policies and guidelines related\nto detecting, reporting, and responding to security incidents. These documents include guidance\non reporting incidents internally, reporting incidents to US-CERT, and reporting to law\nenforcement.9\n\n           Information Systems Security Incident Response Procedures, May 11, 2004 (Appendix B\n           from MD and Handbook 12.5).\n           CSIRT Responder Guide, Version 2.0, May 20, 2011.\n           CSIRT Standard Operating Procedures, Version 2.0, June 30, 2011.\n\nThe CSO also maintains an incident response Web site that provides information on incident\nresponse, including what to do if a user discovers a virus; suspicious e-mail; the deliberate or\ninadvertent release of sensitive, classified, or safeguards information; or missing IT equipment.\n\nThe CSIRT conducts periodic incident response testing. The test results are documented and\ninclude a description of the scenario and responses to scenario questions on preparation;\nresponse and analysis; containment, eradication, and recovery; and forensics. The test results\nalso include a checklist of actions that should have been taken during the exercise and\ndocumented lessons learned.\n\nIn order to determine if incident response and reporting procedures are consistently implemented\nin accordance with Government policies, we reviewed the ASCT report for the agency\xe2\x80\x99s\ncommon controls. Incident response policies and procedures are provided at the agency level for\nall NRC information systems. ASCT of all incident response controls found them to be\nimplemented correctly, operating as intended, and producing the desired outcome with respect to\nmeeting the security requirements for the agency.\n\n\n\n\n9\n    CSIRT does not report incidents directly to law enforcement. If an incident might warrant reporting to law\n    enforcement, CSIRT notifies the OIG Computer Crimes Unit, who then decides whether or not external law\n    enforcement should be involved.\n\n\n                                                          17\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\nAnalysis, Validation, and Documentation of Incidents\n\nThe agency\xe2\x80\x99s incident response and reporting program includes comprehensive analysis,\nvalidation, and documentation of incidents. The agency recently issued the Computer Security\nIncident Response Plan, CSO-IR PLAN-6001, Version 1.0, June 20, 2011, which provides the\nNRC plan for responding to computer security incidents affecting NRC\xe2\x80\x99s infrastructure,\nnetworks, and users. It describes the organization of the NRC incident response capability and is\nintended to be used by security personnel who are assigned computer security incident response\nrelated duties and responsibilities. The NRC Computer Security Incident Response Plan\ndescribes the incident handling capability and guidance for preparation, detection and analysis,\ncontainment, eradication, and recovery are included in both the NRC CSIRT Incident Response\nResponder Guide and CSIRT Test Plan.\n\nIncidents are documented using a CSIRT Incident Report Form and monitored using the CSIRT\nIncident Response Tracking Sheet and these documents are retained in a centralized location.\nThe CSIRT Incident Report Form and CSIRT Incident Response Tracking Sheet provide detailed\ninformation about incidents reported to the CSIRT and allow the CSIRT to maintain records\nabout each incident, monitor the status of incidents, maintain other pertinent information\nnecessary for forensics, and evaluate incident details, trends, and handling.\n\nReporting to US-CERT and Law Enforcement\n\nThe agency\xe2\x80\x99s incident response and reporting program includes procedures for reporting to US-\nCERT within established timeframes. The NRC Computer Security Incident Response Plan\nstates the CSIRT uses the US-CERT Incident Reporting System Web Site as a secure automated\nmechanism for reporting computer security related incidents. NRC requires NRC staff and\ncontractors to report suspected computer security incidents to the NRC CSIRT via telephone or\nemail within 1 hour of detection. The CSIRT Responders Guide and the CSIRT Standard\nOperating Procedures specify the types of incidents that must be reported to US-CERT, and the\ntimeframes for reporting each category of incident to US-CERT. The agency\xe2\x80\x99s incident response\nand reporting program includes also includes procedures for reporting to law enforcement within\nestablished timeframes. The CSIRT Responder Guide states the CSIRT is responsible for\ndetermining if law enforcement and/or OIG involvement is needed. MD and Handbook 12.5\nstate that when criminal activity is suspected or confirmed, the procedures assign the OIG\nresponsibility for contacting and coordinating the response with law enforcement officials.\n\nResponding To and Resolving Incidents\n\nThe agency\xe2\x80\x99s incident response and reporting program includes procedures for responding to and\nresolving incidents in a timely manner, as specified in agency policy or standards, to minimize\nfurther damage. The NRC Computer Security Incident Response Plan states the CSIRT\nprioritizes, monitors, tracks, and coordinates computer security related incidents at NRC.\nCategories and classes of incidents are defined and appropriate actions to take are included in the\nNRC CSIRT Standard Operating Procedures and CSIRT Responder Guide. The incident\nhandling capability and guidance for preparation, detection and analysis, containment,\n\n\n\n\n                                                18\n\x0c                                                                                 Independent Evaluation of\n                                                                  NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\neradication, and recovery are included in both the NRC CSIRT Incident Response Responder\nGuide and CSIRT Test Plan.\n\nTracking and Managing Risk in Virtual/Cloud Environments\n\nThe agency\xe2\x80\x99s incident response and reporting program is capable of tracking and managing risks\nin a virtual/cloud environment. The NRC does not currently have or make use of \xe2\x80\x9ccloud\xe2\x80\x9d\nenvironments for its systems. The NRC does run a clustered virtualized server environment and\nproactively tracks and manages risk in that environment in the same manner it does for non-\nvirtualized systems.\n\nCorrelating Incidents\n\nThe agency\xe2\x80\x99s incident response and reporting program is capable of correlating incidents. The\nagency uses a variety of tools, including firewalls, a variety of filtering tools, scanners, intrusion\ndetection systems, and data loss prevention tools, to detect and respond to cyber security\nincidents and these tools allow the agency to correlate incidents and perform regular incident\ncorrelation activities.\n\n3.5    Security Training (Question 4)\n\nFISMA requires agencies to develop, document, and implement an agencywide information\nsecurity program that includes security awareness training to information personnel, including\ncontractors and other users of information systems that support the operations and assets of the\nagency. The security awareness training must inform personnel of information security risks\nassociated with their activities, and their responsibilities in complying with agency policies and\nprocedures designed to reduce these risks. NIST SP 800-53, requires organizations to (1)\nprovide basic security awareness training to all information system users (including managers,\nsenior executives, and contractors) as part of initial training for new users, when required by\nsystem changes, and periodically thereafter; (2) provide role-based security-related training\nbefore authorizing access to the system or performing assigned duties, when required by system\nchanges, and periodically thereafter; and (3) document and monitor individual information\nsystem security training activities including basic security awareness training and specific\ninformation system security training.\n\nThe NRC Security Training Program Is Generally Consistent with FISMA Requirements,\nOMB Policy, and Applicable NIST Guidelines\n\nIn order to evaluate the agency\xe2\x80\x99s security training program, Carson Associates reviewed:\n\n       NRC policies, procedures, and guidance specific to security awareness and security\n       training.\n       The ASCT report for the agency\xe2\x80\x99s common controls, as security awareness and security\n       training policies and procedures are provided at the agency level for all NRC information\n       systems.\n\n\n\n\n                                                  19\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\n       The content of several of the agency\xe2\x80\x99s security awareness and specialized security\n       training courses.\n\nWe determined that the agency has established and is maintaining a security training program\nthat is consistent with FISMA requirements, OMB policy, and applicable NIST guidelines.\n\nDocumented Policies and Procedures\n\nThe agency\xe2\x80\x99s security training program includes documented policies and procedures for\nsecurity awareness training. MD and Handbook 12.5 require the agency CIO to ensure through\ncoordination with the Office of Human Resources that NRC employees and contractor staff have\nappropriate initial and refresher, basics and literacy, and role-based computer security training.\nThe NRC Associate Director for Training and Development, Office of Human Resources is\nresponsible for providing assistance in the development and delivery of appropriate information\nsecurity awareness and training programs for NRC personnel, ensuring that an information\nsecurity briefing is included in the initial orientation for new employees, ensuring that employees\nreceive periodic computer security refresher training, including awareness, basics, and literacy\ninstruction, and maintaining records concerning computer security training provided to NRC\nemployees. MD and Handbook 12.5 also require all users of NRC information systems to attend\ninitial indoctrination and annually complete the computer security awareness refresher training.\n\nAll new NRC employees (including onsite contractors, interns, and summer hires) are required to\nattend orientation the first day they report for duty. During the orientation, employees are given\na brief presentation on a variety of NRC IT-related policies that includes a discussion on\nappropriate use of IT equipment. In addition, a representative from the Office of the General\nCounsel presents a session on ethics that includes additional discussions on appropriate use of\nthe Internet.\n\nFor FY 2011, all NRC computer users, including Federal employees, detailees, interns, and\ncontractors, were required to take an online computer security awareness course. All NRC\nemployees and support contractors having network accounts were required to complete the\ncourse by August 15, 2011. The self-paced course consisted of three parts. The first part was a\ngeneral computer security awareness training course developed by another Government agency\nfor Governmentwide use. The second part addressed NRC-specific computer security awareness\ninformation and addressed the IT protection of SGI. The third part was a review of the\nagencywide Rules of Behavior for Authorized Computer Use and acknowledgement.\nCompletion of all three parts was required to fulfill the annual computer security requirement.\nThe agency also prepared a list of differences between NRC policy and the course content of the\nfirst part of the training as a companion document to the FY 2011 training.\n\nThe agency also routinely issues network announcements on various security topics, including\nspoofed and fake e-mail messages, social engineering, phishing, and security issues while\nteleworking. In the spring of 2009, NRC began publishing a quarterly IT security newsletter,\nFRONTLINE. The newsletters will provide the NRC with IT security awareness tips and\ntechniques for protecting one\xe2\x80\x99s information.\n\n\n\n\n                                                20\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\nThe agency\xe2\x80\x99s security training program also includes documented policies and procedures for\ntraining users with significant information security responsibilities. The agency developed an IT\nRole-Based Training plan that states the requirement for training for those with significant IT\nresponsibilities, the type of training expected for each role, and frequency of training per role.\nSystem owners are responsible for using the training plan procedures to address the training\nneeds of personnel with IT roles.\n\nThe CSO developed four role-based courses for senior level managers/executive, IT\nmanagers/system owners, and ISSOs, and for System Administrators. The CSO also provides\ncommercial training as resources permit. The CSO IT Security Role-Based Training Web page\nprovides examples of commercially available training and additional commercial-related IT\nsecurity training can be found on iLearn.\n\nIn order to determine if security awareness training procedures are consistently implemented in\naccordance with Government policies, we reviewed the ASCT report for the agency\xe2\x80\x99s common\ncontrols as security awareness training procedures are provided at the agency level for all NRC\ninformation systems. ASCT of all awareness and training controls found them to be\nimplemented correctly, operating as intended, and producing the desired outcome with respect to\nmeeting the security requirements for the agency.\n\nSecurity Training Status Tracking\n\nThe agency\xe2\x80\x99s security training program includes identification and tracking of the status of\nsecurity awareness training for all personnel (including employees, contractors, and other agency\nusers) with access privileges that require security awareness training. Each office is responsible\nfor ensuring all users are entered into the iLearn system, which is used to track completion of the\nannual security awareness training. The CSO\xe2\x80\x99s IT Security Training Web site includes a link to\na Web page showing the completion rate for the computer security awareness training by office.\nAs of August 16, 2011, the agency had a 98-percent completion rate.\n\nThe agency\xe2\x80\x99s security training program also includes identification and tracking of the status of\nspecialized training for all personnel (including employees, contractors, and other agency users)\nwith significant information security responsibilities that require specialized training. With\nregard to IT security roles-based training, CSO tracks completion dates in the IT Security Roles\nTraining Requirements spreadsheet, as individuals notify CSO of attendance and at the end of\nthe year through a data call requiring training coordinators to update the spreadsheet with\ntraining attendance information for their staff.\n\n3.6    POA&M (Question 5)\n\nFISMA requires agencies to develop, document, and implement an agencywide information\nsecurity program that includes a process for planning, implementing, evaluating, and\ndocumenting remedial action to address any deficiencies in the information security policies,\nprocedures, and practices of the agency. NIST SP 800-53 requires organizations to implement a\nprocess for ensuring that POA&Ms for the security program and the associated organizational\ninformation systems are maintained and document the remedial information security actions to\n\n\n\n                                                21\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\nmitigate risk to organizational operations and assets, individuals, other organizations, and the\nNation. It requires organizations to develop a POA&M for each information system to document\nthe organization\xe2\x80\x99s planned remedial actions to correct weaknesses or deficiencies noted during\nthe assessment of the security controls and to reduce or eliminate known vulnerabilities in the\nsystem; and it also requires organizations to update existing POA&Ms periodically based on the\nfindings from security controls assessments, security impact analyses, and continuous monitoring\nactivities.\n\nThe NRC POA&M Program Needs Improvement\n\nIn order to evaluate the agency\xe2\x80\x99s POA&M program, Carson Associates reviewed NRC policies,\nprocedures, and guidance specific to POA&Ms. We also reviewed the ASCT report for the\nagency\xe2\x80\x99s common controls, as POA&M policies and procedures are provided at the agency level\nfor all NRC information systems, and analyzed the agency\xe2\x80\x99s POA&Ms from Q1 FY 2011\nthrough Q4 FY 2011. We determined that the agency has established and is maintaining a\nPOA&M program that is consistent with FISMA requirements, OMB policy, and applicable\nNIST guidelines and tracks and monitors known information security weaknesses.\n\nHowever, Carson Associates found that POA&M procedures are not consistently implemented.\nAs in previous independent evaluations, we found POA&M procedures are still not consistently\nimplemented. Specifically, (1) the metrics submitted to OMB often deviated from the actual\nPOA&Ms, (2) the agency is not always following OMB and internal NRC POA&M guidance,\nand (3) the agency is closing weaknesses without sufficient evidence from the system owners.\n\nAs in previous independent evaluations, Carson Associates also found that (1) POA&Ms do not\ninclude all known security weaknesses, (2) initial target remediation dates are still often missed,\nand (3) POA&Ms are not updated in a timely manner. These issues are primarily due to the\nmanual process that was used for managing and updating the POA&Ms up until Q4 FY2011 and\nshould improve over time as the agency continues to use Xacta. The OIG will continue to\nmonitor the agency\xe2\x80\x99s POA&M procedures and its use of Xacta throughout the following year\xe2\x80\x99s\nindependent evaluation to determine whether these issues have been resolved.\n\nDocumented Policies and Procedures\n\nThe agency\xe2\x80\x99s POA&M program includes documented policies and procedures for managing IT\nsecurity weaknesses discovered during security control assessments and requiring remediation.\nMD and Handbook 12.5 require the system owner/sponsor to ensure that a POA&M is\ndeveloped, implemented, and maintained to track the major weaknesses that have been identified\nfor office-sponsored information systems. Each office is required to regularly update the CIO on\nits progress in correcting system weaknesses in order to enable the CIO to provide the agency\xe2\x80\x99s\nquarterly FISMA update report to OMB.\n\nThe NRC POA&M Process was issued by the CSO to ensure quality assurance is emphasized\nand includes a process for conducting independent verification and validation of POA&Ms to\nassure their adequacy as part of the security assessment review process. Additionally, CSO\nacquired additional contract support to assist in establishing a compliance review process in\nwhich CSO will review security documentation, conduct vulnerability scanning, and meet with\n\n\n                                                22\n\x0c                                                                                        Independent Evaluation of\n                                                                         NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\neach system owner on an annual basis to verify the status of remediation efforts, assess the\ncomprehensiveness of planned corrective actions, and validate the accuracy of tasks,\nresponsibilities, and milestones for each outstanding weakness. These activities take place\nquarterly, targeting approximately 25 percent of the overall number of POA&Ms. The POA&M\nprocess was also briefed to various system owners and internal forums.\n\nIn addition, the NRC POA&M Process includes procedures for requesting quarterly POA&M\nupdates from system owners, compiling the data into a consolidated source, reviewing it for\naccuracy, rolling up the information, and reporting it to OMB. The agency adds any new\nweaknesses identified from various sources including OIG audits and reports, Government\nAccountability Office (GAO) audits, internal control reviews, ASCT, ST&E, information\nsecurity program reviews, critical infrastructure protection vulnerability assessments, risk\nassessments, penetration tests, security information assessment recommendations, security\nassessment reports, quarterly scanning, vulnerability assessment reports, and confirmed security\nincidents.\n\nTracking, Prioritizing, and Remediating Weaknesses\n\nNRC has two primary tools for tracking IT security weaknesses associated with information\nsystems used or operated by the agency or by a contractor of the agency or other organization on\nbehalf of the agency. At a high level, NRC uses the POA&Ms required by OMB to track (1)\ncorrective actions from the OIG annual independent evaluation, (2) corrective actions from the\nagency\xe2\x80\x99s annual review, and (3) recurring FISMA and IT security actions items such as ASCT\nand annual contingency plan testing. The POA&Ms may also include corrective actions\nresulting from other security studies conducted by or on behalf of NRC. As a result of\nrecommendations from the FY 2007 FISMA independent evaluation, the agency has been\nworking on automating the POA&M process and is currently using NSICD to store, process, and\ngenerate the POA&Ms. After months of research and evaluation the CSO picked Xacta, which\nwas purchased in the second half of 2009, as the agency\xe2\x80\x99s tool for automating the POA&Ms.\nThe agency began using Xacta for automating the POA&Ms beginning with Q4 FY2011.\n\nThe more specific corrective actions associated with the security assessment and authorization\nprocess (e.g., corrective actions resulting from risk assessments, ST&E, and ASCT) are tracked\nin Rational\xc2\xae ClearQuest\xc2\xae10 as change requests using the PMM process for change management.\nAll corrective actions arising from the security control testing process and from vulnerability\nscans are imported into Rational ClearQuest. A corrective action plan is generated directly from\nRational ClearQuest. System owners are responsible for remediation of each corrective action\nwithin the timeframes specified in the corrective action plan.\n\nThe agency\xe2\x80\x99s new POA&M procedures require corrective actions to be ranked based upon on the\nmost critical security weaknesses and their impact on the agency\xe2\x80\x99s mission and that that the\noverall severity of the weakness should be considered in conjunction with the system risk impact\nlevel when prioritizing the mitigation of weaknesses. Weakness severity is the potential\nmagnitude of loss that could result from weakness exploitation. Xacta provides a severity code\n\n\n10\n     Rational ClearQuest is an IBM software package used for software change management.\n\n\n                                                        23\n\x0c                                                                                Independent Evaluation of\n                                                                 NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\nfield for identifying the risk impact level of a weakness and a rank field for setting the relative\npriority for weaknesses within each risk level category.\n\nAdequate Resources\n\nThe agency\xe2\x80\x99s POA&M program ensures adequate resources are provided for correcting\nweaknesses. System owners are responsible for incorporating resources required for completing\ncorrective actions and ongoing security costs into the total amount allocated for security and to\nensure general weakness descriptions noted in CPIC documentation correspond to the\nweaknesses documented in the corresponding POA&M. If additional hardware, software,\nservices, or staffing are required, the POA&M should identify the cost of the resources required,\neven if already included in the organization budget. Xacta provides a field for listing the\nresources required for corrective action. System owners can report whether weakness mitigation\nresources are Funded, Unfunded, or will be Reallocated.\n\nPOA&Ms Do Not Include All Known Security Weaknesses\n\nThe agency POA&M procedures require weaknesses identified from various sources to be added\nto the appropriate program-level or system-level POA&M. These sources include OIG audits\nand reports, GAO audits, internal control reviews, ASCT, ST&E, information security program\nreviews, critical infrastructure protection vulnerability assessments, risk assessments, penetration\ntests, security information assessment recommendations, security assessment reports, quarterly\nscanning, vulnerability assessment reports, and confirmed security incidents.\n\nThe agency POA&M procedures also require new weaknesses to be added to the POA&M\nwithin 15 days of discovery. However, not all IT-related weaknesses were added to the\nPOA&Ms as required by agency policy.\n\n       POA&Ms do not include all IT-related weaknesses identified in OIG audits. For\n       example, an OIG report on one of the agency\xe2\x80\x99s systems (NSTS) was issued in August\n       2010; however, only one of the five recommendations from the report was added to the\n       POA&M. In September 2010, the OIG issued a report on the use of wireless at the\n       agency. Only 3 of the 18 recommendations from that report were added to the POA&M.\n       Recommendations from a recent GAO audit on securing wireless networks were not\n       added to the POA&M. While the agency may have procedures for tracking findings from\n       GAO audits at the agency level, these recommendations were IT-related and should also\n       be tracked on the agency\xe2\x80\x99s POA&Ms.\n       None of the recommendations from the FY 2011 contingency plan testing have been\n       added to the POA&Ms.\n       Not all of the weaknesses identified during the FY 2011 ASCT have been added to the\n       POA&Ms.\n\nInitial Target Remediation Dates Are Still Often Missed\n\nCarson Associates analyzed the POA&Ms for the three systems selected for evaluation in FY\n2011 to determine if target remediation dates are met. Two of the three systems had at least one\n\n\n                                                  24\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\nweakness that was closed more than 5 months after the scheduled completion date. One system\nhad eight weaknesses that were closed over a year after their scheduled completion dates. Two\nof the three systems had half of their open weaknesses overdue.\n\nPOA&Ms Are Not Updated in a Timely Manner\n\nCarson Associates analyzed all four of the agency\xe2\x80\x99s FY 2011 POA&M submissions to OMB to\ndetermine whether POA&Ms are updated in a timely manner. We found multiple instances of\nPOA&M items being reported closed more than 3 months after they were actually closed. In\naddition, we found multiple instances of the agency not counting weaknesses as closed when\nthey had been closed by the OIG prior to the cutoff date for POA&M reporting.\n\n3.7    Remote Access (Question 6)\n\nOMB Memorandum M-06-16, Protection of Sensitive Agency Information, requires agencies to\nallow remote access only with two-factor authentication where one of the factors is provided by\na device separate from the computer gaining access and to use a \xe2\x80\x9ctime-out\xe2\x80\x9d function for remote\naccess and mobile devices requiring user re-authentication after 30 minutes inactivity. NIST SP\n800-53, control AC-17, Remote Access, requires organizations to authorize, monitor, and control\nall methods of remote access to their information systems.\n\nThe NRC Remote Access Program Is Generally Consistent with FISMA Requirements,\nOMB Policy, and Applicable NIST Guidelines\n\nIn order to evaluate the agency\xe2\x80\x99s remote access program, Carson Associates reviewed NRC\npolicies, procedures, and guidance related to remote access. We also reviewed the ASCT report\nfor the agency\xe2\x80\x99s infrastructure system for control AC-17, Remote Access. This control requires\norganizations to authorize, monitor, and control all methods of remote access to the information\nsystem. We determined that the agency has established and is maintaining a remote access\nprogram that is consistent with FISMA requirements, OMB policy, and applicable NIST\nguidelines.\n\nDocumented Policies and Procedures\n\nOn June 26, 2008, the agency issued the NRC Computer Security Information Protection Policy\nto address requirements specified OMB Memorandum M-06-16, and M-06-19, Reporting\nIncidents Involving PII and Incorporating the Cost for Security in Agency IT Investments. The\npolicy includes the requirement for remote access to any system that processes non-public NRC\ninformation to be constrained by a \xe2\x80\x9ctime-out\xe2\x80\x9d function that requires re-authentication after 30\nminutes of inactivity.\n\nIn December 2008, the agency issued a computer security policy for encryption of data at rest\nprior to removal from agency facilities, and updated NUREG/BR-168, Guide for IT Security,\nPolicy for Processing Unclassified Safeguards Information on NRC Computers. This policy\nrequires the use of encryption to protect sensitive data at rest, including when stored on media\nsuch as CDs, DVDs, thumb drives, backups, and external hard drives. The policy also states that\nthe agency will be issuing a separate policy to address encryption of transmitted data.\n\n\n                                               25\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\nOn May 21, 2009, the agency issued the NRC agencywide Rules of Behavior for Authorized\nComputer Use. The rules of behavior are provided to NRC computer users as part of the annual\ncomputer security awareness course, and apply to all NRC employees, contractors, vendors, and\nagents (users) who have access to any system operated by the NRC or by a contractor or outside\nentity on behalf of the NRC. The rules of behavior include a requirement for users to use only\nNRC-approved technologies for remote access to the NRC network.\n\nNRC provides centralized remote access via a component of its IT infrastructure system. After\nremote access through the centralized component, users have the same access to the network,\nNRC information, and NRC information systems as if they were logged into the network locally.\nThe agency monitors remote access via a variety of mechanisms. At the agency level, this\ncontrol was found to be in place, with the exception of enhancement two, which requires the use\nof cryptography to protect the confidentiality and integrity of remote access sessions.\n\nCryptography is not used to protect the confidentiality and integrity of remote access sessions via\ndial-up. The agency has conducted a cost-benefit analysis to determine the feasibility of\nimplementing a compliant solution and found that it is not cost justifiable due to a limited\nnumber of select users having dialup access. The agency will be requesting a waiver for this\nenhancement.\n\n3.8    Identity and Access Management Program (Question 7)\n\nNIST SP 800-53 includes several controls related to identity and access management, including\nthe following:\n\n       AC-2, Account Management \xe2\x80\x93 Requires organizations to manage information system\n       accounts, including establishing, activating, modifying, reviewing, disabling, and\n       removing accounts, and to review system accounts at least annually.\n       IA-1, Identification and Authentication Policy and Procedures \xe2\x80\x93 Requires organizations\n       to develop, disseminate, and periodically review/update (i) a formal, documented,\n       identification and authentication policy that addresses purpose, scope, roles,\n       responsibilities, management commitment, coordination among organizational entities,\n       and compliance and (ii) formal, documented procedures to facilitate the implementation\n       of the identification and authentication policy and associated identification and\n       authentication controls.\n       IA-2, User Identification and Authentication \xe2\x80\x93 Requires information systems to uniquely\n       identify and authenticate users (or processes acting on behalf of users). Also specifies\n       requirements for the use of multifactor authentication.\n       IA-3, Device Identification and Authentication \xe2\x80\x93 Requires information systems to\n       identify and authenticate specific devices before establishing a connection.\n       IA-4, Identifier Management \xe2\x80\x93 Requires organizations to manage user identifiers by (i)\n       uniquely identifying each user, (ii) verifying the identity of each user, (iii) receiving\n       authorization to issue a user identifier from an appropriate organization official, (iv)\n       issuing the user identifier to the intended party, (v) disabling the user identifier after an\n       organization-defined period of inactivity, and (vi) archiving user identifiers.\n\n\n                                                 26\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\nThe NRC Identity and Access Management Program Is Generally Consistent with FISMA\nRequirements, OMB Policy, and Applicable NIST Guidelines\n\nIn order to evaluate the agency\xe2\x80\x99s identity and access management program, Carson Associates\nreviewed:\n\n       NRC policies, procedures, and guidance related to identity and access management.\n       Security assessment and authorization documents for the three systems selected for\n       evaluation during the FY 2011 independent evaluation, specifically controls related to\n       identity and access management.\n       The ASCT report for the agency\xe2\x80\x99s common controls and the agency\xe2\x80\x99s infrastructure\n       system.\n\nWe determined that the agency has established and is maintaining an identity and access\nmanagement program that is consistent with FISMA requirements, OMB policy, and applicable\nNIST guidelines.\n\nCarson Associates found minor deviations from the agency\xe2\x80\x99s established identity and access\nmanagement procedures. Specifically, some enhancements for account management,\nidentification and authentication, and identifier management are not in place for a few of the\nagency\xe2\x80\x99s systems. The agency\xe2\x80\x99s continuous monitoring process ensures that these issues are\nidentified, tracked on the agency\xe2\x80\x99s POA&M, and remediated if possible. For those controls that\ncannot be implemented, the agency\xe2\x80\x99s RMF allows system owners to formally request approval\nfrom the DAA to deviate from existing IT security requirements due to limitations (e.g.,\ntechnical, business process, etc.).\n\nDocumented Policies and Procedures\n\nMD and Handbook 12.5, Appendix A, Section 2.1, provides an agencywide identification and\nauthentication policy for all systems. System owners may develop a system-specific\nidentification and authentication policy to address system-specific requirements. System owners\nare responsible for developing, disseminating, reviewing, and updating formal, documented\nsystem-specific procedures to facilitate policy-compliant implementation of the identification\nand authentication policy and associated controls.\n\nThe agency has also issued several procedures and standards related to identity and access\nmanagement, including the following:\n\n       CSO-PROC-1323, NRC Procedure to Submit a Request for IT Hardware Security\n       Approval.\n       CSO-STD-0001, NRC Strong Password Standard.\n       CSO-STD-2006, User Access Management Standard.\n       CSO-STD-2007, Network Access Control Standard.\n\n\n\n\n                                               27\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\nTo determine if identity and access management procedures are consistently implemented,\nCarson Associates reviewed ST&E results for the three systems selected for evaluation in FY\n2011, the test results for the agency\xe2\x80\x99s common controls, and the agency\xe2\x80\x99s infrastructure system\nand found the following minor deviations:\n\n       AC-2 \xe2\x80\x93 Test results indicate this control is in place for all systems reviewed with the\n       exception of enhancement 3, which requires information systems to automatically disable\n       inactive accounts after an organization-defined time period. NRC requires inactive\n       accounts to be disabled after no more than 35 days of inactivity. Two of the systems are\n       requesting a waiver for this enhancement based on the average usage of the systems. One\n       system is also not able to implement enhancement 4, which requires information systems\n       to automatically audit account creation, modification, disabling, and termination actions\n       and notifies, as required, appropriate individuals. This system is not able to automatically\n       notify appropriate individuals of account actions. This system is also requesting a waiver\n       for this enhancement.\n       IA-1 \xe2\x80\x93 Test results indicate the agency has developed and disseminated an agencywide\n       identification and authentication policy for all systems; however, the organization does\n       not review/update the policies and procedures annually as required by NRC. The overall\n       procedures in MD and Handbook 12.5 have not been updated since 2003. MD and\n       Handbook 12.5 are currently undergoing an update.\n       IA-2 \xe2\x80\x93 Test results indicate this control is in place for all systems with the exception of\n       enhancements related to multi-factor authentication certain types of access. Resolution of\n       these issues is dependent on completion of the agency\xe2\x80\x99s implementation of the HSPD-12\n       Personal Identity Verification card.\n       IA-3 \xe2\x80\x93 This control is in place for all systems reviewed.\n       IA-4 \xe2\x80\x93 Test results indicate this control is in place for all but one of the systems reviewed.\n       This control requires systems to disable user identifiers after an organization-defined time\n       period of inactivity. NRC requires user identifiers to be disabled after no more than 35\n       days of inactivity. This system is requesting a waiver for this enhancement based on the\n       average usage of the systems.\n\n3.9    Continuous Monitoring Management (Question 8)\n\nFISMA requires agencies to develop, document, and implement an agencywide information\nsecurity program that includes periodic testing and evaluation of the effectiveness of information\nsecurity policies, procedures, and practices, to be performed with a frequency depending on risk,\nbut no less than annually. Such testing shall include testing of management, operational, and\ntechnical controls of every information system identified in the inventory required by FISMA.\n\nAt the agency level, NIST SP 800-53 requires agencies to (i) manage (i.e., document, track, and\nreport) the security state of organizational information systems through security authorization\nprocesses, (ii) designate individuals to fulfill specific roles and responsibilities within the\norganizational risk management process, and (iii) fully integrate the security authorization\nprocesses into an organizationwide risk management program. The last step of the security\nauthorization process (the RMF) is monitor.\n\n\n                                                 28\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\nAt the system level, NIST SP 800-53 requires organizations to establish a continuous monitoring\nstrategy and implement a continuous monitoring program that includes (i) a configuration\nmanagement process for the information system and its constituent components, (ii) a\ndetermination of the security impact of changes to the information system and environment of\noperation, (iii) ongoing security control assessments in accordance with the organizational\ncontinuous monitoring strategy; and (iv) reporting the security state of the information system to\nappropriate organizational officials at a frequency to be determined by the organization.\n\nThe NRC Continuous Monitoring Program Is Generally Consistent with FISMA\nRequirements, OMB Policy, and Applicable NIST Guidelines\n\nIn order to evaluate the agency\xe2\x80\x99s enterprisewide continuous monitoring program, Carson\nAssociates reviewed NRC policies, procedures, and guidance related to continuous monitoring.\nWe also reviewed the continuous monitoring activities performed for all of the agency\xe2\x80\x99s\noperational systems, including contractor systems. We determined that the agency has\nestablished and is maintaining an enterprisewide continuous monitoring program that is\nconsistent with FISMA requirements, OMB policy, and applicable NIST guidelines.\n\nDocumented Policies and Procedures\n\nCSO-PROS-1323, US NRC Agencywide Continuous Monitoring Program, provides direction\nfor NRC continuous monitoring activities and describes the process for annual continuous\nmonitoring reviews, related roles and responsibilities and evaluation criteria. Continuous\nmonitoring reviews are conducted on each office and its respective systems once per fiscal year\nto provide System Owners and the Designed Approving Authorities with insight into the\nagencywide IT security posture.\n\nOnce a year, the agency EDO issues a memorandum and risk management instructions requiring\nsystem owners to perform continuous monitoring activities required for FISMA. System owners\nare required to take the following actions:\n\n   1. Perform an annual contingency plan test and submit an updated contingency plan and\n      contingency plan test report to the CSO.\n   2. In coordination with CSO, perform ASCT of NRC information systems and ensure that\n      all ASCT reports are submitted in a timely fashion.\n   3. For systems owned and/or operated by other agencies or contractors (e.g., e-Government\n      systems), obtain a memorandum from the owning/operating agency/contractor\n      confirming the completion of annual FISMA requirements and Authorization to Operate\n      status.\n   4. Conduct periodic patching and scanning.\n   5. Update all security-related documentation (e.g., System Security Plans) in accordance\n      with NRC requirements.\n   6. Proactively track and mitigate open POA&M weaknesses identified during the course of\n      ongoing security activities and provide timely submission of quarterly POA&M updates.\n\n\n\n\n                                                29\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\nSystems that were authorized to operate within the past fiscal year have already had their\nsecurity controls tested and, therefore, do not require additional ASCT. Each year, the CSO\nidentifies a set of core controls that must be assessed annually for all systems. System owners\nwere required to select additional controls with an emphasis on controls associated with\nPOA&M items that have been closed within the past year, and with additional controls selected\nby the authority of the system owner and controls added by Revision 3 of NIST SP 800-53.\n\nContingency plan testing is discussed in Section 3.10. Procedures for the oversight of contractor\nsystems are discussed in Section 3.11. The agency\xe2\x80\x99s security assessment and authorization\nprocess, including security plan updates, is discussed in Section 3.2.2. The agency\xe2\x80\x99s POA&M\nprogram is discussed in Section 3.6. ASCT is discussed below.\n\nNRC Has Completed Annual Security Control Testing for All Agency and Contractor\nSystems\n\nOf the agency\xe2\x80\x99s 24 operational systems, 3 were authorized to operate in the past fiscal year or\nunderwent a full security control assessment as part of a re-authorization and, therefore, did not\nrequire additional ASCT. The remaining 18 agency systems and both contractor systems\nrequired ASCT. As of the completion of fieldwork for FY 2011, ASCT was completed for the\n18 agency systems and 2 contractor systems that required ASCT.\n\n3.10   Contingency Planning (Question 9)\n\nFISMA requires agencies to develop plans and procedures to ensure continuity of operations for\ninformation systems that support the operations and assets of the agency. NIST SP 800-34,\nContingency Planning Guide for Information Technology Systems, states that contingency plans\nshould be tested at least annually and when significant changes are made to the information\nsystem, supported business process(es), or the contingency plan.\n\nThe NRC Business Continuity/Disaster Recovery Program Is Generally Consistent with\nFISMA Requirements, OMB Policy, and Applicable NIST Guidelines\n\nIn order to evaluate the agency\xe2\x80\x99s enterprisewide business continuity/disaster recovery program,\nCarson Associates reviewed NRC policies, procedures, and guidance related to contingency\nplanning. We also reviewed the contingency plans and contingency plan test reports for all of\nthe agency\xe2\x80\x99s operational systems, including contractor systems. We determined that the agency\nhas established and is maintaining an enterprisewide business continuity/disaster recovery\nprogram that is consistent with FISMA requirements, OMB policy, and applicable NIST\nguidelines.\n\nDocumented Policies and Procedures\n\nMD and Handbook 12.5 state that the NRC shall comply with the NIST guidance to include\nguidance related to the preparation of security documentation (such as system security plans, IT\nrisk assessments, and IT contingency plans) and other applicable NIST automated information\nsecurity guidance for IT security processes, procedures, and testing. MD 12.5 also states that IT\ncontingency plans for major applications and general support systems shall be tested each year.\n\n\n                                                 30\n\x0c                                                                                           Independent Evaluation of\n                                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\nA live test provides the best indication of the adequacy of a contingency plan test. If a live test\ncannot be conducted due to operational constraints, a simulated test may be conducted in lieu of\nthe live test. NRC CSO and OIS procedures also require annual contingency plan testing for all\nmajor applications and general support systems, including generating a contingency plan test\nreport.\n\nIn early 2009, the agency conducted a Business Impact Analysis (BIA) in support of the\ndevelopment of the NRC Disaster Recovery Plan. The purpose of the BIA was to collect\ninformation from each office to document business processes along with other relevant\ninformation supporting the agency\xe2\x80\x99s mission. In the near term, this data will be used to form the\nbasis for prioritization of \xe2\x80\x9cbusiness critical\xe2\x80\x9d IT systems currently in use at the NRC to determine\nsystems to be covered under the disaster recovery plan. This information will also be used in the\ndevelopment of long term funding needs to support the disaster recovery solution for the NRC.\n\nThe Executive Director for Operations issued a memorandum in December 2010 requiring\nsystem owners to perform continuous monitoring activities required for FISMA, including\ncompleting annual contingency plan testing of all major applications and general support\nsystems. System owners were required to perform an annual contingency plan test and submit to\nthe CSO an updated contingency plan and contingency plan test report. Testing completion\ndates must not exceed 1 year from when the last test was performed. The instructions\naccompanying the memorandum also specify the types of contingency plan tests appropriate for\nlow, moderate, and high system impact levels.\n\nAnnual Contingency Plan Testing Was Completed for All Agency Systems and All\nContractor Systems\n\nAs of the completion of fieldwork for FY 2011, contingency plan testing11 was completed for all\n22 of the agency\xe2\x80\x99s operational NRC information systems and for both contractor systems for\nwhich NRC has direct oversight. In addition, all operational NRC information systems and all\ncontractor systems have current contingency plans.\n\n3.11     Contractor Systems (Question 10)\n\nFISMA requires agencies to provide information security protections commensurate with the risk\nand magnitude of harm resulting from unauthorized access, use, disclosure, disruption,\nmodification, or destruction of (1) information collected or maintained by or on behalf of the\nagency or (2) information systems used or operated by an agency or by a contractor of an agency\nor other organization on behalf of an agency.12\n\n\n\n\n11\n    Any testing performed between October 1, 2010, and the completion of fieldwork would be considered as FY\n   2011 test results.\n12\n    Information systems used or operated by a contractor of an agency or other organization on behalf of the agency\n   refers to information systems that the agency considers to be either major applications or general support systems.\n\n\n                                                          31\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\nThe NRC Contractor Oversight Program Is Generally Consistent with FISMA\nRequirements, OMB Policy, and Applicable NIST Guidelines\n\nIn order to evaluate the agency\xe2\x80\x99s program to oversee contractor systems, Carson Associates\nreviewed:\n\n       NRC policies, procedures, and guidance related to contractor oversight.\n       NRC\xe2\x80\x99s inventory of systems.\n       Agreements such as memoranda of understanding (MOU), Interconnection Service\n       Agreements, and contracts.\n       Annual security control test reports, certification and accreditation documents,\n       contingency plans, and contingency plan test reports for both contractor systems for\n       which NRC has direct oversight.\n       Documentation the agency obtained from the seven e-Government systems used by the\n       agency confirming the completion of annual FISMA requirements and Authorization to\n       Operate status.\n\nWe determined that the agency has established and is maintaining a contractor oversight program\nthat is consistent with FISMA requirements, OMB policy, and applicable NIST guidelines.\n\nDocumented Policies and Procedures\n\nNRC defines two types of systems that are operated by a contractor or other organization on\nbehalf of NRC \xe2\x80\x93 contractor systems and e-Government systems. A contractor system is a system\nthat processes NRC information and is operated and maintained by a contractor, and an\ne-Government system is a system that processes NRC information and is operated and\nmaintained by another Federal agency.\n\nThe agency follows the same policies, procedures, and guidance in MD and Handbook 12.5 for\ncontractor systems as it does for agency systems. All contractor systems must be authorized to\noperate prior to processing any sensitive NRC information or connecting to the NRC\ninfrastructure and must undergo ASCT and annual contingency plan testing. Contractor systems\nare also required to undergo re-authorization per NRC policy.\n\nFor e-Government systems, the agency requires the responsible NRC system owner to\ndemonstrate those systems meet FISMA requirements by providing proof of authority to operate,\nASCT, and annual contingency plan testing. The agency also requires a privacy impact\nassessment and a security categorization for all e-Government systems. The agency may also\nrequire service level agreements or memoranda of understanding/agreement with those agencies.\n\nThe agency currently has no agency systems residing in a public cloud but does utilize several\nservices that are considered software as a service. The agency\xe2\x80\x99s risk management framework\ndescribes both system and service types used to characterize NRC information systems and the\nauthorization requirements for each type. Authorization types are either authorization to operate\nor authorization to utilize (ATU). ATUs are issued for services such as those provided by other\n\n\n\n                                                32\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\nFederal organizations (e.g., e-Government systems) or by private contractors (e.g., software as a\nservice). The NRC risk management framework also describes the authorization requirements\nfor social media including public Web 2.0 Web sites owned and operated by external third-party\nproviders such as YouTube and Facebook.\n\nAgency Oversight of Contractor Systems Meets FISMA Requirements\n\nAs of the completion of fieldwork for FY 2011, both contractor systems for which NRC has\ndirect oversight had a current authorization to operate and both have met NRC requirements for\ncontinuous monitoring, including ASCT, security plan updates, and annual contingency plan\ntesting and contingency plan update. The agency also has documentation demonstrating all\nseven e-Government systems used by the agency have completed of annual FISMA requirements\nand have a current authorization to operate.\n\n3.12   Security Capital Planning (Question 11)\n\nAt the organizational level, NIST SP 800-53 requires organizations to (1) ensure that all capital\nplanning and investment requests include the resources needed to implement the information\nsecurity program and documents all exceptions to this requirement, (2) employ a business\ncase/Exhibit 300/Exhibit 53 to record the resources required, and (3) ensure that information\nsecurity resources are available for expenditure as planned.\n\nAt the system level, NIST SP 800-53 requires organizations to (1) include a determination of\ninformation security requirements for the information system in mission/business process\nplanning; (2) determine, document, and allocate the resources required to protect the information\nsystem as part of its capital planning and investment control process; and (3) establish a discrete\nline item for information security in organizational programming and budgeting documentation.\n\nThe NRC CPIC Program Is Generally Consistent with FISMA Requirements, OMB Policy,\nand Applicable NIST Guidelines\n\nIn order to evaluate the agency\xe2\x80\x99s capital planning and investment program, Carson Associates\nreviewed NRC policies, procedures, and guidance specific to capital planning. We also reviewed\nthe ASCT report for the agency\xe2\x80\x99s common controls, specifically control PM-3, Information\nSecurity Resources, as this control is provided at the agency level for all NRC information\nsystems. We determined that the agency established and maintains a security capital planning\nand investment program for information security.\n\nDocumented Policies and Procedures\n\nThe agency\xe2\x80\x99s CPIC program includes documented policies and procedures to address\ninformation security in the capital planning and investment control process. MD and Handbook\n2.8 describe the agency\xe2\x80\x99s project management policy. The purpose of the PMM is to establish an\nIT investment process that facilitates the effective selection, implementation, management, and\nevaluation of IT investments throughout their entire life cycle. The PMM also includes an IT\nCPIC program to ensure management of IT investments through the research, selection, control,\nand evaluation phases of the investment life cycle. The CPIC process is a key component of\n\n\n                                                33\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\nPMM and consists of four phases at NRC: research, select, control, and evaluate. MD and\nHandbook 2.8 include a mapping of the four CPIC phases to the six PMM phases. The PMM\nWeb site provides additional details on CPIC and includes descriptions and process flow\ndiagrams for each CPIC phase.\n\nTo support the CPIC process, the PMM Web site provides several tools and documents including\nan Automated CPIC Process System User Guide. The PMM also has templates for various CPIC\nartifacts including project screening forms, Vision and Business Case documents, System\nRequirements Specifications, and Project Management Plans.\n\nIn order to determine if CPIC procedures are consistently implemented, we reviewed the ASCT\nreport for the agency\xe2\x80\x99s common controls, specifically control PM-3, Information Security\nResources, as this control is provided at the agency level for all NRC information systems.\nASCT of this control found it to be implemented correctly, operating as intended, and producing\nthe desired outcome with respect to meeting the security requirements for the agency. We\nreviewed the agency\xe2\x80\x99s budget year 2012 Exhibit 300s for the agency\xe2\x80\x99s major investments, and\nthe agency\xe2\x80\x99s budget year 2012 Exhibit 53 and found them to be consistent with the agency\xe2\x80\x99s\nCPIC program.\n\nInformation Security Requirements as Part of CPIC\n\nThe agency\xe2\x80\x99s CPIC program includes information security requirements as part of the capital\nplanning and investment process. All capital planning and investment requests are required to\ninclude the resources needed to implement the information security program. The Exhibit 300\nhas several key sections on spending, including security and privacy.\n\nBusiness Case/Exhibit 300/Exhibit 53\n\nThe agency\xe2\x80\x99s CPIC program employs a business case/Exhibit 300/Exhibit 53 to record the\ninformation resources required and to establish a discrete line item for information security. The\nExhibit 300 has several key sections on spending, including security and privacy. The Exhibit\n53 for budget year 2012 includes a line item for computer security. This investment includes\nproviding IT security compliance tracking; updates and support for staff security awareness and\nISSO training, IT security training for management, security incident response, conducting the\nannual FISMA reviews, and independent IT security testing. The Exhibit 53 also includes a line\nitem for IT Strategic Management. This investment includes support for the CPIC process, IT\nbudget reporting, and project control, and ensures integrity and security of systems and vendor\nproducts, compliance with project management standards, and technical assessment of hardware\nand software prior to purchase. In addition, each major investment on the Exhibit 53 has a\ncolumn for reporting IT security costs.\n\nInformation Security Resources\n\nThe agency\xe2\x80\x99s CPIC program ensures that information security resources are available for\nexpenditure as planned. The CPIC process requires project managers to coordinate all security-\nrelated activities directly through the Senior Information Technology Security Officer for the\n\n\n\n                                                34\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\nCSO FISMA Compliance and Oversight Team to ensure that the project meets all IT security\nrequirements necessary for security assessment and authorization of the system, and with the\nSenior Information Technology Security Officer for the CSO Cyber Situational Awareness,\nAnalysis, and Response Tea, to ensure the system infrastructure architecture meets security\ntechnical configuration standards before implementation.\n\nThe annual EDO memorandum and instructions on performing IT security risk management\nactivities include cost estimates for annual IT risk management tasks, including contingency plan\ntesting, contingency plan updates, vulnerability scans, security hardening checks, Web\napplication security assessments, and wireless scanning. The CSO has budgeted for the\nperformance of ASCT to relieve system owners of any additional burden.\n\n\n\n\n                                               35\n\x0c                                            Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              36\n\x0c                                                                            Independent Evaluation of\n                                                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\n4      Consolidated List of Recommendations\n\nThe Office of the Inspector General recommends that the Executive Director for Operations:\n\n    1. Develop and implement an organizationwide risk management strategy that is consistent\n       with NIST SP 800-37 and NIST SP 800-39.\n    2. Revise existing configuration management procedures to include performance measures\n       and/or monitoring procedures to ensure standard baseline configurations are implemented\n       for all systems.\n    3. Revise existing configuration management procedures to include performance measures\n       and/or monitoring procedures to ensure baseline configurations are documented for all\n       systems.\n    4. Revise existing configuration management procedures to include performance measures\n       and/or monitoring procedures to ensure software compliance assessments, including\n       vulnerability assessments, are performed as required: (i) before a system is connected to\n       the NRC production environment, (ii) during security test and evaluation of systems, and\n       (iii) as part of the agency\xe2\x80\x99s continuous monitoring environment.\n    5. Revise existing configuration management procedures to include performance measures\n       and/or monitoring procedures to ensure all systems components are included in requisite\n       software compliance assessments.\n    6. Revise existing configuration management procedures to include performance measures\n       and/or monitoring procedures to ensure all identified vulnerabilities, including\n       configuration-related vulnerabilities, scan findings, and security patch-related\n       vulnerabilities, are remediated in a timely manner in accordance with the timeframes\n       established by NRC.\n\n\n\n\n                                               37\n\x0c                                            Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              38\n\x0c                                                                            Independent Evaluation of\n                                                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\n5      Agency Comments\n\nAt an exit conference on November 3, 2011, agency officials agreed with the report\xe2\x80\x99s findings\nand recommendations and provided some editorial changes, which the OIG incorporated as\nappropriate. The agency opted not to submit formal comments.\n\n\n\n\n                                               39\n\x0c                                            Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              40\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2011\n\n\nAppendix.          OBJECTIVE, SCOPE, AND METHODOLOGY\n\nOBJECTIVE\n\nThe objective of this review was to perform an independent evaluation of the NRC\xe2\x80\x99s\nimplementation of FISMA for FY 2011.\n\nSCOPE\n\nThe evaluation focused on reviewing the agency\xe2\x80\x99s implementation of FISMA for FY 2011. We\nconducted this evaluation at NRC headquarters from April 2011 through September 2011. Any\ninformation received from the agency subsequent to the completion of fieldwork was\nincorporated when possible. The evaluation included assessment of compliance with FISMA\nrequirements and related information security policies, procedures, standards, and guidelines,\nand a review of information security policies, procedures, and practices of a representative subset\nof the agency\xe2\x80\x99s information systems, including contractor systems and systems provided by other\nFederal agencies. Throughout the evaluation, evaluators were aware of the potential for fraud,\nwaste, or misuse in the program.\n\nMETHODOLOGY\n\nTo conduct the independent evaluation, the team met with agency staff responsible for\nimplementing the agency\xe2\x80\x99s information system security program, reviewed security assessment\nand authorization documentation for the agency\xe2\x80\x99s operational information systems, and reviewed\nother documentation provided by the agency that demonstrated its implementation of FISMA.\n\nAll analyses were performed in accordance with guidance from the following:\n\n        National Institute of Standards and Technology standards and guidelines.\n        Nuclear Regulatory Commission Management Directive and Handbook 12.5, NRC\n        Automated Information Security Program.\n        NRC Office of the Inspector General audit guidance.\n\nThe evaluation work was conducted by Jane M. Laroussi, CISSP and Virgil Isola, CISSP, from\nRichard S. Carson & Associates, Inc.\n\n\n\n\n                                                41\n\x0c'